f84371debe164427c72924c109c009d85121e5723a704a68e5b84433dbfd34d3

Analysis

max time kernel
142s
max time network
134s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 13:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe
Size

684KB
MD5

5c37f62538c8647b0d468665cfbebb0e
SHA1

d3568984757a0dd2af9f494c648949d0ab118d48
SHA256

f84371debe164427c72924c109c009d85121e5723a704a68e5b84433dbfd34d3
SHA512

3eac285bb400cd369bbe9faa951c92b78fedca1ac5867624934a60ebeafbc01771747baa498ca4ca2e0c191cd59709bc567c836675b7584ea709c1a7c168f53c
SSDEEP

12288:eMrlxGP1kPo2434MmvIPBFI3WTIU3FowZF3Z4mxx+UUq9U9s+K85E:5rlxGtzQhI5a3WMUnZQmX+JKKKP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2320	Server.exe
2812	Hacker.com.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
2000	5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe
2000	5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server.exe
File created	C:\Windows\Hacker.com.cn.exe	Server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	Server.exe
Token: SeDebugPrivilege	2812	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2320	2000	5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2320	2000	5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2320	2000	5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2320	2000	5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2724	2812	Hacker.com.cn.exe	32
PID 2812 wrote to memory of 2724	2812	Hacker.com.cn.exe	32
PID 2812 wrote to memory of 2724	2812	Hacker.com.cn.exe	32
PID 2812 wrote to memory of 2724	2812	Hacker.com.cn.exe	32

C:\Users\Admin\AppData\Local\Temp\5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c37f62538c8647b0d468665cfbebb0e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2320

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
744KB

MD5
07dd9998db4fc64f70a43cc5b55bf37e

SHA1
a6bd9096ae55ac2cb4848c948f004a3a6655626e

SHA256
d94e424cd257651862e69dcc09c7f1926fe4004a5c09f9d93045d5891f13cb97

SHA512
7154e058da403cf806286564f1af75ae2d735d96c97468febc0db97bcd9540e6e0eb707b0499c84d42237f8c702e84089ec3da62c1d13c4424a05f332f6f9b93

Download Submit
memory/2000-12-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2000-15-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2000-29-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2000-28-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2000-27-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2000-26-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2000-25-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2000-24-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2000-23-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2000-22-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2000-21-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2000-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2000-19-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2000-18-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2000-17-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2000-16-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download
memory/2000-14-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2000-30-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2000-13-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2000-8-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2000-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2000-9-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2000-11-0x0000000003120000-0x0000000003123000-memory.dmp

Filesize
12KB

Download
memory/2000-7-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2000-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2000-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2000-4-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2000-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2000-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2000-0-0x0000000001000000-0x00000000010BA000-memory.dmp

Filesize
744KB

Download
memory/2000-41-0x00000000037E0000-0x00000000038A3000-memory.dmp

Filesize
780KB

Download
memory/2000-40-0x00000000037E0000-0x00000000038A3000-memory.dmp

Filesize
780KB

Download
memory/2000-51-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download
memory/2000-50-0x0000000001000000-0x00000000010BA000-memory.dmp

Filesize
744KB

Download
memory/2320-49-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2320-42-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2812-47-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download
memory/2812-52-0x0000000000400000-0x00000000004C2200-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads