a733101a34e69eff4a18d1ff69abb78dfb6c5df8193caff1a6fee1e33e99dd50

Analysis

max time kernel
17s
max time network
19s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
Size

89KB
MD5

5f4cd295985dd3a7f0e32a771a27f165
SHA1

483eb6b97f707e7976fc93fd25a9b14c7762687d
SHA256

a733101a34e69eff4a18d1ff69abb78dfb6c5df8193caff1a6fee1e33e99dd50
SHA512

1a13f4b6cb7e010b0c73f3b6c19bbc22562bb8528d9f2eb6148cdf4cc9187988f97892d3fc63ce0eed71f2d46cc2a38dd5f99ee75790f04b02d188cf7cb02696
SSDEEP

1536:yR1m65Invxb8jgLYjFuoq51I6uM4+yMJCWEcZHljql1AVBySMo4N6dubB7GBd6Za:i865eb8jgEh+51IbMJCWDljLbbiJlhaR

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AlxRes070510.exe	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\AlxRes070510.exe	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winsys32_070510.dll	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winsys16_070510.dll	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scrsys070510.scr	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scrsys070510.scr	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winsys32_070510.dll	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scrsys16_070510.scr	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scrsys16_070510.scr	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winsys16_070510.dll	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mywinsys.ini	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	2508	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1568	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe	29
PID 2508 wrote to memory of 1568	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe	29
PID 2508 wrote to memory of 1568	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe	29
PID 2508 wrote to memory of 1568	2508	5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f4cd295985dd3a7f0e32a771a27f165_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 228
  2⤵
  - Program crash
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mywinsys.ini

Filesize
39B

MD5
2bcb14198fac052116c036e8a21fe85b

SHA1
32f3137b5a44c76ef2c4b9ca5eac4a99dfea3825

SHA256
d776a075b45d84f5daea4f2770a1bab1a9ede702900d75457818c2fbdeadfd91

SHA512
49266a4e9e4c19b323f9937a2eff3709725fc73a16b5fe225119f6ab03ada5761e1402cfd07e3c5f036f409396cc39f220fb0e7a8e76d4f983dd951ca6277963

Download Submit