d92343d1f2450e19194be54fb4408335fd9acafa34077551c3fa6dfbe216529a

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 12:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe
Size

786KB
MD5

5bfd7c62757ae1cb38215b982995696e
SHA1

5ad53acf02ad84ca9b06ff9123380dc1a87f3a49
SHA256

d92343d1f2450e19194be54fb4408335fd9acafa34077551c3fa6dfbe216529a
SHA512

cb4da9495db270210912acbe03b1bc66657ef9093602c10a604a8fa206462bb62524027f878cfb44f6625502d1c4fed35b63cd660c1f90613821f98ac80b186b
SSDEEP

12288:sskmfimeScH68aIG07BnGhCmccj9XikC7QLQqoPZF3Z4mxxfRbW1h8EJ:s9uM1VdnGEmceXiT7QcZZQmXfRi1eO

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2584	5.exe
2712	3.exe
3012	KK

Loads dropped DLL 4 IoCs

pid	Process
2064	5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe
2064	5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe
2584	5.exe
2584	5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 1472	3012	KK	33

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\KK	3.exe
File opened for modification	C:\Windows\KK	3.exe
File created	C:\Windows\UNINSTAL.BAT	3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	3.exe
Token: SeDebugPrivilege	3012	KK

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2584	2064	5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2584	2064	5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2584	2064	5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2584	2064	5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2712	2584	5.exe	31
PID 2584 wrote to memory of 2712	2584	5.exe	31
PID 2584 wrote to memory of 2712	2584	5.exe	31
PID 2584 wrote to memory of 2712	2584	5.exe	31
PID 3012 wrote to memory of 1472	3012	KK	33
PID 3012 wrote to memory of 1472	3012	KK	33
PID 3012 wrote to memory of 1472	3012	KK	33
PID 3012 wrote to memory of 1472	3012	KK	33
PID 3012 wrote to memory of 1472	3012	KK	33
PID 3012 wrote to memory of 1472	3012	KK	33
PID 2712 wrote to memory of 2436	2712	3.exe	34
PID 2712 wrote to memory of 2436	2712	3.exe	34
PID 2712 wrote to memory of 2436	2712	3.exe	34
PID 2712 wrote to memory of 2436	2712	3.exe	34
PID 2712 wrote to memory of 2436	2712	3.exe	34
PID 2712 wrote to memory of 2436	2712	3.exe	34
PID 2712 wrote to memory of 2436	2712	3.exe	34

C:\Users\Admin\AppData\Local\Temp\5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5bfd7c62757ae1cb38215b982995696e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\UNINSTAL.BAT
      4⤵
      PID:2436

C:\Windows\KK
C:\Windows\KK
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
422KB

MD5
b43990bd747f4c75cddd6f34ca0c734a

SHA1
34798fd8baec03ced9ea3b02d2e3641a2e6f5bc9

SHA256
5fa5e99e30792907c2c7bb71eececd1fccf2836597d5302c6613422e833c12d0

SHA512
df942c6b934d20bc1f4a1f12ff021768f4d1f6a34dde97b9e427c5f2c2e46f2313d6e05691c68b2898b282298a11fdeaf845c2691b478331ffb68f289978c1fa

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
146B

MD5
179c36b93a4d81f1be3cefd74d2993c5

SHA1
1ec8a924a8da6b18002193b3f412044d7bfd9fba

SHA256
3fde54c36920e39225e939eed93cc1c7959dafe6008ae219b9b918faba7a90e2

SHA512
165b92b8383b4eed8291172b39c9841b166560570dad5ebe913f22f46200821fc503db5f0020cce7d7a732b0c7ef84adb45798054cae65e66a5d1ceba0dca58c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe

Filesize
735KB

MD5
845004e9eb891c7d58382f2690629abf

SHA1
dd083a0069b260b29aff4447069037017dcc8c7e

SHA256
64d52f50a621448781db168f2ea3ea732e61c79c3389aae7cf7ec77743ea5a73

SHA512
763afc8922a2b1db571db15faae6ee8e5dc7723edaabe04e55757849234730bf5cc1745ab58ad05c7dfe186e8736824045bcce60597e29864553ff7c8fa5a026

Download Submit
memory/1472-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1472-71-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2064-15-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2064-12-0x0000000003140000-0x0000000003143000-memory.dmp

Filesize
12KB

Download
memory/2064-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x0000000000200000-0x0000000000254000-memory.dmp

Filesize
336KB

Download
memory/2064-0-0x0000000001000000-0x00000000010D3000-memory.dmp

Filesize
844KB

Download
memory/2064-31-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2064-30-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2064-27-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2064-26-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2064-25-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2064-24-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2064-23-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2064-22-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2064-21-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2064-20-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2064-19-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2064-18-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2064-13-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2064-16-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2064-9-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2064-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2064-14-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2064-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2064-11-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2064-10-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2064-4-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2064-38-0x0000000003800000-0x00000000038DE000-memory.dmp

Filesize
888KB

Download
memory/2064-78-0x0000000000200000-0x0000000000254000-memory.dmp

Filesize
336KB

Download
memory/2064-79-0x0000000001000000-0x00000000010D3000-memory.dmp

Filesize
844KB

Download
memory/2064-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2064-8-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2064-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2064-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2064-53-0x0000000001000000-0x00000000010D3000-memory.dmp

Filesize
844KB

Download
memory/2064-59-0x0000000000200000-0x0000000000254000-memory.dmp

Filesize
336KB

Download
memory/2584-50-0x0000000000380000-0x000000000044E000-memory.dmp

Filesize
824KB

Download
memory/2584-51-0x0000000000380000-0x000000000044E000-memory.dmp

Filesize
824KB

Download
memory/2584-40-0x0000000001000000-0x00000000010DE000-memory.dmp

Filesize
888KB

Download
memory/2584-43-0x0000000001000000-0x00000000010DE000-memory.dmp

Filesize
888KB

Download
memory/2584-74-0x0000000001000000-0x00000000010DE000-memory.dmp

Filesize
888KB

Download
memory/2712-54-0x0000000000400000-0x00000000004CD200-memory.dmp

Filesize
820KB

Download
memory/2712-73-0x0000000000400000-0x00000000004CD200-memory.dmp

Filesize
820KB

Download
memory/3012-81-0x0000000000400000-0x00000000004CD200-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads