0f60becfc6922658d3bfce2a328dbb2fd28f87834f7ce5c0b0a2c0f858f9519a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe
Size

198KB
MD5

485e9bba9dcdec68bc411222a964aa06
SHA1

bb829e0edf30fa47e5fdbd8a729d3ba20d8fb89c
SHA256

0f60becfc6922658d3bfce2a328dbb2fd28f87834f7ce5c0b0a2c0f858f9519a
SHA512

f10c4bca8f8321314fc27c093cfc256cf6ce4e4290d944e1a271ebfcacdc293f7ee4dc80ac950bb0f40f14313ece15c9dda9783759595c55b3fc0834a075546e
SSDEEP

6144:BKELo7CRYfxueKdE89vDmOlKIDgkLo7VBXk3:lLoeRBe+EoKIckw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1692	server2.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe
2028	485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	server2.exe
1692	server2.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1692	2028	485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe	30
PID 2028 wrote to memory of 1692	2028	485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe	30
PID 2028 wrote to memory of 1692	2028	485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe	30
PID 2028 wrote to memory of 1692	2028	485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe	30
PID 1692 wrote to memory of 1244	1692	server2.exe	21
PID 1692 wrote to memory of 1244	1692	server2.exe	21
PID 1692 wrote to memory of 1244	1692	server2.exe	21
PID 1692 wrote to memory of 1244	1692	server2.exe	21
PID 1692 wrote to memory of 1244	1692	server2.exe	21
PID 1692 wrote to memory of 1244	1692	server2.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\485e9bba9dcdec68bc411222a964aa06_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server2.exe

Filesize
156KB

MD5
5af7dd3c1884395d679ffcc5f443ffbd

SHA1
9b6d531c766656cb6d265d73c3553bc7681ea9f2

SHA256
339409d5c0ef2eedb271f29b316cc29f49e65b9a0a436bbbd179e1e7547667b5

SHA512
b261cd31b531db40b6509426faa4d6f0830ba7155aedc39e07fcc597766bdfdab6620bce7f0624ce3e0c65b06de8005254d0caa5dc08a54c9250a627c19476a3

Download Submit
memory/1244-14-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1244-21-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1692-11-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1692-10-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1692-13-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1692-17-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download