2d833c114060390bf2285ab25d60e363885c54d903b67269a304441f8a2a9701

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 21:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe
Size

208KB
MD5

5dc8336f8e4a9a91c842f4fe30943b4d
SHA1

e94baa4eed178f271945c363821055e451ab2416
SHA256

2d833c114060390bf2285ab25d60e363885c54d903b67269a304441f8a2a9701
SHA512

91b5e6bd8d6475c44d0041ea053dd88e528a6c8e0d72608c7db8cf07e05f375c627e9566e46a87a34e974f9896f49213e9894aa85993de73a3f08de1404b5024
SSDEEP

6144:Cuj1mBg+5W/TB6WJEoO/gf9tBFek5VDX:Jj1ma6yOIltnek

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3040	webmqjut.exe
2192	SOEX4AGG7JA.EXE

Loads dropped DLL 4 IoCs

pid	Process
2544	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe
2544	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe
3040	webmqjut.exe
3040	webmqjut.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rrvfcaij = "C:\\Users\\Admin\\Local Settings\\Application Data\\webmqjut.exe"	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe
3040	webmqjut.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3040	2544	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3040	2544	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3040	2544	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3040	2544	5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2192	3040	webmqjut.exe	31
PID 3040 wrote to memory of 2192	3040	webmqjut.exe	31
PID 3040 wrote to memory of 2192	3040	webmqjut.exe	31
PID 3040 wrote to memory of 2192	3040	webmqjut.exe	31

C:\Users\Admin\AppData\Local\Temp\5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5dc8336f8e4a9a91c842f4fe30943b4d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\Local Settings\Application Data\webmqjut.exe
  "C:\Users\Admin\Local Settings\Application Data\webmqjut.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SOEX4AGG7JA.EXE
    C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\SOEX4AGG7JA.EXE -r 22058 tcp
    3⤵
    - Executes dropped EXE
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\webmqjut.exe

Filesize
208KB

MD5
5dc8336f8e4a9a91c842f4fe30943b4d

SHA1
e94baa4eed178f271945c363821055e451ab2416

SHA256
2d833c114060390bf2285ab25d60e363885c54d903b67269a304441f8a2a9701

SHA512
91b5e6bd8d6475c44d0041ea053dd88e528a6c8e0d72608c7db8cf07e05f375c627e9566e46a87a34e974f9896f49213e9894aa85993de73a3f08de1404b5024

Download Submit
C:\Users\Admin\Local Settings\Application Data\11825442\tst

Filesize
10B

MD5
3227088cabb14c832c32470e64e33f9b

SHA1
96a8cd3831ccb712641bc17892ddd6e890cbff46

SHA256
b364704372b5d587ab42f53dd8e29c4fc48dd631ac631a9e99fbf82f9bfe8251

SHA512
6dcbc39b99a63f4e68167e3905cccbf760e5ac8bacde03c3ae7fa07453d5ae67fce6578850d6e4a684448824924b3f8b7d49827bba43c3c931fa80d193aa54db

Download Submit
\Users\Admin\AppData\Local\Temp\SOEX4AGG7JA.EXE

Filesize
20KB

MD5
4df0b1b7b7272ea84d24f3abcb8588e2

SHA1
05db3478ca1c44e830752b0555a9476c5d9320df

SHA256
6d24c2f6d6ac701fd430fb9f8cffb245621d1eedc50267d3f4af44846a67a308

SHA512
ec9dee26887caa66ee789fa079d53b8ae9f20c0d2d261a816f83f43dea520a06689d9ffe477f9ca77febf55f937c12e38f794b5d77614cf93aa0e4f8b90ae017

Download Submit
memory/2192-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2544-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2544-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download