Overview

overview

8

Static

static

3

5f0bb5d859...18.exe

windows7-x64

8

5f0bb5d859...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f0bb5d859680f429caf565adacbc438_JaffaCakes118.exe

  • Size

    534KB

  • MD5

    5f0bb5d859680f429caf565adacbc438

  • SHA1

    4ee0d94977518b142d7dcfcaa713c814b8614c2e

  • SHA256

    3567de104c795a7d72d34ad711e2e87e33dedbce825158bcf295868bcce90704

  • SHA512

    1e790031f3de58ea220adc8be1ba7a6b9722a997dd0d031ae3756a9660c4db1c65fbc995c4c5d19b6ab00178e9d44791c1f564ffb3311bc2cdb21126c8e11bb6

  • SSDEEP

    12288:aB54If0JlqJIpN++VUdPWzGbZr/pS82kuw82A3vzqunS41gvt:aBFBEo+GPuGb3WZ6Azv

Score
8/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f0bb5d859680f429caf565adacbc438_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f0bb5d859680f429caf565adacbc438_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\crtclient32.dll",install
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\crtclient32.dll",watch
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:3044
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\crtclient32.dll",xserve
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\crtclient32.dll
    Filesize

    424KB

    MD5

    713014c101c0dc55845f7cc689792b4c

    SHA1

    c604f1c6e96993dc609d3a47ab07a5f28042e812

    SHA256

    aaa6ebd7e46248d263d7237b589f30b0bea26951b19ee59ce6179c9171c96139

    SHA512

    4458d2abc8cfbbf86ca3238f09945d75464caa93e584db82852269c9f2960e36a4f2421eb856d8bc6b5386b64b019e58149e73c76e59fd4475606b99de79556a

    Download Submit

  • memory/1412-1-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/1412-0-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1412-39-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/2444-9-0x00000000745F0000-0x00000000746AE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2444-8-0x0000000001DA0000-0x0000000001EA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2668-36-0x00000000008B0000-0x000000000096E000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2668-45-0x00000000008B0000-0x000000000096E000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2668-44-0x00000000745F0000-0x00000000746AE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/3044-25-0x0000000000300000-0x00000000003BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/3044-23-0x0000000000300000-0x00000000003BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/3044-16-0x0000000000300000-0x0000000000400000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3044-42-0x00000000745F0000-0x00000000746AE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/3044-43-0x0000000000300000-0x00000000003BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/3044-50-0x0000000000300000-0x0000000000400000-memory.dmp

    Filesize

    1024KB

    Download