6c7c6101a3de28e0abbb30de69473479e28d518d67d122df5c0b64f1325cb637

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
Size

70KB
MD5

5fc85e4419d8733b43b5ae25afb88fbd
SHA1

650b8906819e7b96b82a1788b58c5993c6b71c4a
SHA256

6c7c6101a3de28e0abbb30de69473479e28d518d67d122df5c0b64f1325cb637
SHA512

689b3195c7e79cdca6962911b9de3fe60d3e27ad19ba42e852e261d8b0e28e19aef2eb58b5f707ef21a23a1031adbd721f6b271642d0b518ae9710d46d6bc32d
SSDEEP

1536:ACGeHGDJz+grk1IfNvh1NWgywTFZKKydVYHg9S:AjR+o4gFhZKwg

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2800	rundll32.exe
2800	rundll32.exe
2800	rundll32.exe
2800	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cviqihojis = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\lewmsy.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2800	rundll32.exe
2800	rundll32.exe
2800	rundll32.exe
2800	rundll32.exe
2800	rundll32.exe
2800	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2800	2620	5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2800	2620	5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2800	2620	5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2800	2620	5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2800	2620	5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2800	2620	5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2800	2620	5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2704	2800	rundll32.exe	32
PID 2800 wrote to memory of 2704	2800	rundll32.exe	32
PID 2800 wrote to memory of 2704	2800	rundll32.exe	32
PID 2800 wrote to memory of 2704	2800	rundll32.exe	32
PID 2800 wrote to memory of 2704	2800	rundll32.exe	32
PID 2800 wrote to memory of 2704	2800	rundll32.exe	32
PID 2800 wrote to memory of 2704	2800	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fc85e4419d8733b43b5ae25afb88fbd_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\lewmsy.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\lewmsy.dll",iep
    3⤵
    - Loads dropped DLL
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lewmsy.dll

Filesize
70KB

MD5
f5224980dd9e1b73abe55009ba2a2ea3

SHA1
8d4bb7f08704bfdd7770b9f9701d868e6962194e

SHA256
b0a4af04681bdbb45ae4b085be4d4e0c46bbfb2b354012308fd014983df651de

SHA512
c6c6e4237caa87707296aca90de17ee9add3bc96ad7018774d96c6444658900ef76313bca653cf5083505c8f221ab607940897168594ae4dea4884318edd88f6

Download Submit
memory/2620-12-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2620-1-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/2620-2-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/2620-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2620-16-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/2704-25-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2704-24-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2704-27-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2800-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2800-11-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2800-13-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2800-23-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2800-26-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download