87fb7c536c2c3f76504ea223f5f3115655f72b7323836d680f6d76cf054243aa

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe
Size

52KB
MD5

59b19d37b4201fc4c4245d8ec866a9b6
SHA1

22752525c20e5f9553fe7122e19d19ee3551112f
SHA256

87fb7c536c2c3f76504ea223f5f3115655f72b7323836d680f6d76cf054243aa
SHA512

a4597ac2e9fe11d777d261399c8a8955f5ae727d72ce1f6ec0312d8e66e8fe0acd59e798f2a40ae642c19a64707867e909ae49e9aa640f1fc289de21a4505f0a
SSDEEP

768:nfEinyzqFK63Ik18xubThTQ1xTxFls+j:nry2ceDSldv3

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	kandawfk.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe
1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kandawf.dll	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kandawfk.exe	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kandawfk.exe	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2284	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2284	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2284	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2284	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2812	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2812	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2812	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2812	1908	59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\kandawfk.exe
  C:\Windows\system32\kandawfk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59b19d37b4201fc4c4245d8ec866a9b6_JaffaCakes118.exe.bat

Filesize
210B

MD5
f9167654edcf6113b3354672e4679964

SHA1
51a236bd18b70a64425fd7b231f0ce480c61167b

SHA256
91879312e72fa3b3630594af1e425521106fee18556acea91803322bb7ab8917

SHA512
54bd9678a5e75dd2e00dc9840d3093a062ef0ce70cb64179f54c56c2f42fd2364f7c9eab76b7b1c4e6d9ca1512af5e5e40f5d45994f19ac53fa0add2839ce13a

Download Submit
\Windows\SysWOW64\kandawfk.exe

Filesize
52KB

MD5
59b19d37b4201fc4c4245d8ec866a9b6

SHA1
22752525c20e5f9553fe7122e19d19ee3551112f

SHA256
87fb7c536c2c3f76504ea223f5f3115655f72b7323836d680f6d76cf054243aa

SHA512
a4597ac2e9fe11d777d261399c8a8955f5ae727d72ce1f6ec0312d8e66e8fe0acd59e798f2a40ae642c19a64707867e909ae49e9aa640f1fc289de21a4505f0a

Download Submit