97162c2f0b5246cb6c3b4f48bb30b99ed29578089ee0d400f63c3f678a6d8e07

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 03:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe
Size

656KB
MD5

5a58c5057cc9948838b5497a4f1c3129
SHA1

51cc481c1d79980f3dcd4933c75998482db0549e
SHA256

97162c2f0b5246cb6c3b4f48bb30b99ed29578089ee0d400f63c3f678a6d8e07
SHA512

487d10127356819bfab0d7ec7f1cd6d3bb786aac2a4099ccae5f7d8d086bc4c9bb9259b7fd4011e1b3795781a8b941caf7dd5f728c73b17f33ef0d2eedf70199
SSDEEP

12288:uY9Dp9btJqFwzcDCx66lEHKjvscCVDju2wg8a/TJL+ELd3lYkO/RpRm:uY9zLRzNsv+8aTg8+JLLdVa/Jm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3068	¸´¼þ1~1.EXE
2544	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe
3044	5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe
3068	¸´¼þ1~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3068	3044	5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe	30
PID 3044 wrote to memory of 3068	3044	5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe	30
PID 3044 wrote to memory of 3068	3044	5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe	30
PID 3044 wrote to memory of 3068	3044	5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2544	3068	¸´¼þ1~1.EXE	31
PID 3068 wrote to memory of 2544	3068	¸´¼þ1~1.EXE	31
PID 3068 wrote to memory of 2544	3068	¸´¼þ1~1.EXE	31
PID 3068 wrote to memory of 2544	3068	¸´¼þ1~1.EXE	31
PID 3068 wrote to memory of 2544	3068	¸´¼þ1~1.EXE	31
PID 3068 wrote to memory of 2544	3068	¸´¼þ1~1.EXE	31
PID 3068 wrote to memory of 2544	3068	¸´¼þ1~1.EXE	31

C:\Users\Admin\AppData\Local\Temp\5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a58c5057cc9948838b5497a4f1c3129_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\\Setup.exe
    3⤵
    - Executes dropped EXE
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE

Filesize
736KB

MD5
ff975d24fb91543abf9658b7dcc6441a

SHA1
149798579c7fc51bb04f208b009d12764943280f

SHA256
afc46984aaea4f68c0fb512c1119bd3faf2b922edd5365806dac0d9251cb3ce7

SHA512
6f1b6c9e1eab14f5721a98906e5fcda11b319b31d63d8769b3db0c0e16629e85ee49df875a96c6fa30bf080598679531764fda9020593e65c1fda1e2374a61bf

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
708KB

MD5
b859ba56471cda8bf8929d0c0851538c

SHA1
a5a7948b5047a908d1e68b9e21f2fbcf13b0c7d9

SHA256
c803899f4dbdcd9317839fa2c621f8343131e2ebc5faa73b53ed1c8a8bd7720b

SHA512
c91189891208e50964216a393b7041c2cf7efa36a6433c62dfbcb13ec6a72b96444365bf716df0091989bfc58e9079329dcf59de8df1a383458cb323648aefdc

Download Submit
memory/2544-20-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2544-21-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3044-4-0x0000000001001000-0x00000000011AB000-memory.dmp

Filesize
1.7MB

Download
memory/3044-1-0x0000000001000000-0x000000000124F00F-memory.dmp

Filesize
2.3MB

Download
memory/3044-0-0x0000000001000000-0x000000000124F00F-memory.dmp

Filesize
2.3MB

Download
memory/3044-14-0x0000000001000000-0x000000000124F00F-memory.dmp

Filesize
2.3MB

Download
memory/3044-25-0x0000000001001000-0x00000000011AB000-memory.dmp

Filesize
1.7MB

Download
memory/3044-24-0x0000000001000000-0x000000000124F00F-memory.dmp

Filesize
2.3MB

Download
memory/3068-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3068-19-0x0000000001FD0000-0x0000000002088000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads