7dde61f69415ffb78a11ac86760f99cd4e1ce840da4499885c000b75c6204f6a

Analysis

max time kernel
141s
max time network
134s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
Size

795KB
MD5

497bb91fff49dcd8d17165617b51e6db
SHA1

444235e181d457d5686c07ee6fbc24eaad760c1c
SHA256

7dde61f69415ffb78a11ac86760f99cd4e1ce840da4499885c000b75c6204f6a
SHA512

9bd07792d22385a87f483b1e103d40c084243327c09a6c1e9bca8a41b47c805ff71d551a220ebcc710560ecb107c3551c3d4dd80b5cd07f720fd718cdff0a6a9
SSDEEP

12288:sRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GbRvZBIkSZQQ52LYRg08yPwrRkSIXd:w8MU4ufxdW5A2mJr/khRv7IkSV3YFW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	Windows XP.exe

Loads dropped DLL 1 IoCs

pid	Process
2984	Windows XP.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\PRogram Files\Windows XP.exe	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
File opened for modification	C:\PRogram Files\Windows XP.exe	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
File created	C:\PRogram Files\NDKHQI.DAT	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\61642520.BAT	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
Token: SeDebugPrivilege	2984	Windows XP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	Windows XP.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2984	Windows XP.exe
2984	Windows XP.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2004	2984	Windows XP.exe	31
PID 2984 wrote to memory of 2004	2984	Windows XP.exe	31
PID 2984 wrote to memory of 2004	2984	Windows XP.exe	31
PID 2984 wrote to memory of 2004	2984	Windows XP.exe	31
PID 2228 wrote to memory of 2152	2228	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe	32
PID 2228 wrote to memory of 2152	2228	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe	32
PID 2228 wrote to memory of 2152	2228	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe	32
PID 2228 wrote to memory of 2152	2228	497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  PID:2152

C:\PRogram Files\Windows XP.exe
"C:\PRogram Files\Windows XP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PRogram Files\NDKHQI.DAT

Filesize
51KB

MD5
aefafdd5c9b62db20fd28e0f935263e8

SHA1
3df1cb906cc6180776143b3cc8dd77d2d6956d59

SHA256
9550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e

SHA512
e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40

Download Submit
C:\Program Files\Windows XP.exe

Filesize
795KB

MD5
497bb91fff49dcd8d17165617b51e6db

SHA1
444235e181d457d5686c07ee6fbc24eaad760c1c

SHA256
7dde61f69415ffb78a11ac86760f99cd4e1ce840da4499885c000b75c6204f6a

SHA512
9bd07792d22385a87f483b1e103d40c084243327c09a6c1e9bca8a41b47c805ff71d551a220ebcc710560ecb107c3551c3d4dd80b5cd07f720fd718cdff0a6a9

Download Submit
C:\Windows\61642520.BAT

Filesize
218B

MD5
223c94493235a122fb3e49bee8bcae22

SHA1
dc37ebd45a0bb7437ade54e069ed1e0ff5e64186

SHA256
aa907e53dc5191894b6b036e521eff2d65e29b79b007d90206fc34d3e993234a

SHA512
f4e407e4604e4d543cc30ee12ee4a8354c32ea4fdc08901ac7f4285f2ac1747f2a41230716f8bbad5835f5dcb92c496ec2ec231bfb6de0c26298a07ef0163f66

Download Submit
memory/2228-0-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2228-17-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2984-6-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2984-9-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2984-20-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2984-19-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2984-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download