d97c4a27c15e58a2ce96e1b7bf2bc78dfcfa71673b904d08b261ad8e8c25215c

Analysis

max time kernel
2s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
Size

92KB
MD5

5ad3a3643c22d7fcf42a800ca9fba629
SHA1

32ea40dd7ce53b2341da906e306115fe59e8bce9
SHA256

d97c4a27c15e58a2ce96e1b7bf2bc78dfcfa71673b904d08b261ad8e8c25215c
SHA512

92d199ae6b3d0d23f357a11b1406decaee58996a1eed424f0aba4aab8bf4369050af03c45f7cf2b0e3d9cbe8b163d791c2e96a0fccce3b4aa8990cd7f41f89ba
SSDEEP

384:sqDRr6PGpcohnDRr6PGpco/BXGUvn2Z6nOmHT8myvc0Uz1D9pQBY2TAKYtax:L1yfm1yfbQ2cHT81vc1AY2fx

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\msccrt = "C:\\Windows\\msccrt.exe"	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msccrt.dll	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\msccrt.exe	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
File opened for modification	C:\Windows\msccrt.exe	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1268	2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe	21
PID 2052 wrote to memory of 1268	2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe	21
PID 2052 wrote to memory of 1268	2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe	21
PID 2052 wrote to memory of 1268	2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe	21
PID 2052 wrote to memory of 1268	2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe	21
PID 2052 wrote to memory of 1268	2052	5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5ad3a3643c22d7fcf42a800ca9fba629_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msccrt.dll

Filesize
27KB

MD5
40a0ba4156091c666b38f07341e48587

SHA1
56b714174096151306bc5507028eea6d1ae6001d

SHA256
eb3b627ac4fd97027583fccaaf27d4b46d2b73b8037c3245e1bb58f16620bf08

SHA512
eaf4a16c08e7fa43c5ce3398a79581d7aa899985cda7a5d137bdfe44e7d45e078b92a53681355777b920dc4f9d991905c372e0537af5c97161ccb5b6a997c270

Download Submit
memory/1268-3-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1268-3-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1268-3-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2052-8-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2052-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-8-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2052-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-8-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2052-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download