1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
Size

182KB
MD5

601b85cd6d088bd86d9d21e8f54a2fed
SHA1

8cb4059305ae688fdc02e296f445a02784e01108
SHA256

1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030
SHA512

4e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032
SSDEEP

3072:aLbPRzNoP80lMaV5Q93DKAJjjH6bJjtpivAk12Ln/2IeWXE5MV6CWiqD89SfIIUy:+MP80lzLW3DJJP6bJjjoH1o/2lW020CS

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023445-21.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2940	taskimg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taskmrg.exe = "C:\\Windows\\system32\\taskimg.exe"	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winsys.bat	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\active_url.dll	taskimg.exe
File created	C:\Windows\SysWOW64\active_url.dll	taskimg.exe
File created	C:\Windows\SysWOW64\active_url.dll	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskimg.exe	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskimg.exe	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4312	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 2832	648	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe	91
PID 648 wrote to memory of 2832	648	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe	91
PID 648 wrote to memory of 2832	648	601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe	91
PID 2832 wrote to memory of 4312	2832	cmd.exe	93
PID 2832 wrote to memory of 4312	2832	cmd.exe	93
PID 2832 wrote to memory of 4312	2832	cmd.exe	93
PID 2832 wrote to memory of 2940	2832	cmd.exe	96
PID 2832 wrote to memory of 2940	2832	cmd.exe	96
PID 2832 wrote to memory of 2940	2832	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\winsys.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:4312
- - C:\Windows\SysWOW64\taskimg.exe
    C:\Windows\system32\taskimg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9311A43BB35D90CA31DB0B353DC2084

Filesize
503B

MD5
2ed7ba52dde93dbc327035f6c6c7dbd3

SHA1
e6e98c6c74d0abfe96d630c52740e0817d335c47

SHA256
9dab07e4e900aaa46e1ec20563a6a1bd44911e6e42a15db49295892c797fdf10

SHA512
d161ee2d4718665c36b3b299e089f21908fe6c7b14e87e5b49e139cb73a5c8fbbe294c24b731812f06fa78e641741b06e24e33be2edd0772ff4ecf9180582192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B739B29E00001B3AAE62EC8865A3C7C2

Filesize
504B

MD5
e38d8b1a26aad6db08ae45fd0a90d10a

SHA1
e8e6684dc7d685cd34a40ca129eece51505a0cf6

SHA256
1c1ec960d19541b732b6cc767b7f7cfe66163c83f5e2fc4652dc773b7192ad4a

SHA512
c0cede8e29d942236750b30b9c487566fa310c1dde82d7e5aac6144f82108048fa3991e2277eb4cd23af40cd09b3989ae849d13497971cd0089c6e5874380337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
78c21e5a9fcc6bbd0800a5908bd6c527

SHA1
cd8ab0571d64217c30a99ed7141b232b67e58598

SHA256
b4145f6bee52fcda44da1453db2ea1fb42252d24f10561e9b2d8c41d95ff31b9

SHA512
58c654c216516d0d2b2b39b486d5c2b98049192d69dee1d720f0d19cdc0d28f3a5bb2180e142c8c27fcc00690eaace7f3914b5948f1819aa5434e1a408363be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9311A43BB35D90CA31DB0B353DC2084

Filesize
548B

MD5
7ab39e39d3826b2f59815eaea296300b

SHA1
6d406a79326af0cd96255000041c6c1c6dcbbe37

SHA256
2c210e78ac754d08b05e2bad84b497f56d3310632880b96cf05cad9b18d56630

SHA512
8461d4b1285d2915712badf4cbcd2a23e054f7b215a99c571dca26f9c3c92ac7b358a443a57fc0e6fc96771bed11a1f5b711213881bb19dbbb57c2e29bd4f7e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B739B29E00001B3AAE62EC8865A3C7C2

Filesize
550B

MD5
909ca5b5a32f8e1d5ceb62c8af15b631

SHA1
ca3874bae3fcfb6c74f4718c4b778423d64d9df8

SHA256
6496378e274e9937e0d549e28d6c944c37d46235c379449af7dfdb899593c170

SHA512
f17b5ac4af61ac0f1d25419ca42b137afd94f9d577d72003f204bdf8830a087b099024c6a41310abff54ad1033f3e05da132c1b7562a4d027e690e8cb11e8d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\revisador[1].htm

Filesize
322B

MD5
a62b0493438fd61d0cde8dffc3a8616e

SHA1
07b00bdf8e858c6c3fc06554f6c5fd4955c5ab43

SHA256
9820da6718489adaa1ab2ada6f043af32870a720f7589d6e44252d9a8001d7fc

SHA512
a10c56ed5ab7c372140fb52d245d034d772328dc6649ebe45e86a4cf7c887e39b5d2fc26455a080891d81769d444cf2348e621edc0a07b2cfb482e979d1cbf88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NTK5APBE\revisador[2].htm

Filesize
34KB

MD5
7766c2d3f94e983019663a2ee18eae0c

SHA1
703bc6ee4c430af7f741c7e53df25982b9c57374

SHA256
c4d7d111503b031faeb69b8e1a4c24b54a1dedadb38da62da6424940cb0e5443

SHA512
5ab96b1f3e61d458b8ad8ae0478eb0b35a205478b910d34660bbcab0ae5e51e0bb068a1efb57badcc52d5bc5c06e8588104fa9f0bf635015f5020a24b765b500

Download Submit
C:\Windows\SysWOW64\taskimg.exe

Filesize
182KB

MD5
601b85cd6d088bd86d9d21e8f54a2fed

SHA1
8cb4059305ae688fdc02e296f445a02784e01108

SHA256
1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030

SHA512
4e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032

Download Submit
C:\Windows\SysWOW64\winsys.bat

Filesize
73B

MD5
cc498e91d17130bb2da47fa2c635f09e

SHA1
e01d7c7a67f50ebb7da552fc27a6555af253f61b

SHA256
709b45ebdc8e80db1d3df44e0335004cc8f43be7482010ee0732ecf923ec172e

SHA512
32cf292949760129a6767ddaeaac2b8595e682903883963c7a9e6da0b9269035f235164fb5cfc61a9e32b74a0beb57b0123ed350679923b4021b1838b8b414ce

Download Submit
memory/648-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/648-18-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2940-23-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2940-40-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads