4225c5b7115c7a2f8c08cbfdf8cd0a8b28952a602f13580d674762d7b551054d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62bd906746e687180e6f496af2c74ba7_JaffaCakes118.exe
Size

14KB
MD5

62bd906746e687180e6f496af2c74ba7
SHA1

c612dd94178b053ea120520a936131e0afb22390
SHA256

4225c5b7115c7a2f8c08cbfdf8cd0a8b28952a602f13580d674762d7b551054d
SHA512

4d9670448f4f574d22aa3139423d71921d368b755039563f063db3e703eb68fa1f85e2ddf8d5b1b72c6a1e8fe6eb94cfa28f943a212ccef4781ca0095cf0e67a
SSDEEP

384:jxNR77zN0w638TNFTBs16QCzOcg9Fgt2xClr:jxN17zn66W2zONFgt2xClr

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsft = "C:\\WINDOWS\\sys32.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2720	reg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2608	2284	62bd906746e687180e6f496af2c74ba7_JaffaCakes118.exe	31
PID 2284 wrote to memory of 2608	2284	62bd906746e687180e6f496af2c74ba7_JaffaCakes118.exe	31
PID 2284 wrote to memory of 2608	2284	62bd906746e687180e6f496af2c74ba7_JaffaCakes118.exe	31
PID 2284 wrote to memory of 2608	2284	62bd906746e687180e6f496af2c74ba7_JaffaCakes118.exe	31
PID 2608 wrote to memory of 2720	2608	cmd.exe	33
PID 2608 wrote to memory of 2720	2608	cmd.exe	33
PID 2608 wrote to memory of 2720	2608	cmd.exe	33
PID 2608 wrote to memory of 2720	2608	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\62bd906746e687180e6f496af2c74ba7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62bd906746e687180e6f496af2c74ba7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Microsft /t REG_SZ /d C:\WINDOWS\sys32.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
603B

MD5
e60896801e4777d71d000ec92507ab3b

SHA1
981e124730dc0f8a47cdbcc9a56af060a8d2b604

SHA256
a613337197cf51b0c48863891dedbc77608bed802cbb036393be82982e598ca0

SHA512
9a879e8b2cdd05581b27a9ba8cbae6eb2e5a770cc39987e2e135790ea70613f67e0f6dea27c1318e862b250eb51772ad10f8cfbb253db6fd62fe5f6275f295ee

Download Submit
memory/2284-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2284-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads