7d7607a080edf8475911d5b67bdaa41c1a3f500a9d92f381958a6561a594a915

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe
Size

20KB
MD5

5b8976b2238b0dad934799be50b38990
SHA1

2f111978e007e21210533ec26e5ba8ab5b6533b6
SHA256

7d7607a080edf8475911d5b67bdaa41c1a3f500a9d92f381958a6561a594a915
SHA512

ac25ce60c0850e5bb31362c4e9dd5a0b04ad6e4c64ca6aff01fa93fab80037719ee751a7ba4c9be7a113951a38b6ad5bc215280b7c43065dcccce9394613357b
SSDEEP

384:nKax1EcBUFgvnM36zrgkhAqFn3kiEVKQSOYt8//:KRcGFubrpAqFhEk

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\TIMHost = "C:\\Windows\\TIMHost.exe"	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TIMHost.dll	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\TIMHost.exe	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe
File opened for modification	C:\Windows\TIMHost.exe	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe
1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe
Token: SeDebugPrivilege	1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1252	1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe	21
PID 1040 wrote to memory of 1252	1040	5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5b8976b2238b0dad934799be50b38990_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\TIMHost.dll

Filesize
11KB

MD5
042190c04b55106db0561c9100d57a11

SHA1
be7aa761189d8436caf6b37d3ad17ded21c7edf2

SHA256
a9f590ff19dda2bf58ef23836c0d714958e0bd35c7e7529fbb8492763658abaa

SHA512
2cf364905ef91f047c2cbec69077c17cea7c5b004e5101c7a3eb427efe14e4ee6787d5733a9d32a8ce069fcbf6ef69de6f4023ec2db8d044cd378fa0c5a77341

Download Submit
memory/1040-0-0x0000000000400000-0x000000000041C04B-memory.dmp

Filesize
112KB

Download
memory/1040-13-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1040-14-0x0000000000400000-0x000000000041C04B-memory.dmp

Filesize
112KB

Download
memory/1040-16-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1252-3-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1252-6-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1252-10-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download