2f319c522bce7d3a7853bfb9c88574924ae15a0f68d58feac19d9bb9033b0ce1

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 16:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Size

14KB
MD5

63f432aec9772a884160d896882cbe0a
SHA1

22b37f7ee38f08666195e5851de117643d582fba
SHA256

2f319c522bce7d3a7853bfb9c88574924ae15a0f68d58feac19d9bb9033b0ce1
SHA512

025cc07d8f89b2c97c183845f331d36fc5d2ea8cc6680398281ceccb9e0aa31ef0909aebcfb63f6f6e5dbb5ad148926a295eb45d8cd6c0cd56173b460be89ce0
SSDEEP

384:1o+PRpVf1vpCtuMihEM2P5Nt6tA6gbvqQj85A:15PRpV9YMMmEM2P5Nt6sRj8a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xolehlpjh.dll = "{F0930A2F-D971-4828-8209-B7DFD266ED44}"	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xolehlpjh.tmp	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xolehlpjh.tmp	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xolehlpjh.nls	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ = "C:\\Windows\\SysWow64\\xolehlpjh.dll"	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ThreadingModel = "Apartment"	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 1732	2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1732	2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1732	2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1732	2812	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\E0FC.tmp.bat
  2⤵
  - Deletes itself
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E0FC.tmp.bat

Filesize
207B

MD5
45177e0ca17880a867923bf0cb2618a6

SHA1
ace717390e33eb32bb2fec824ddd9d14485d7bca

SHA256
446b2ec13b541c29c58b3b9fe6d8640a5bf3f900f0bd3e124f90a533dde1f98f

SHA512
4e847b44eacac06387e951453f8a0487d259d6427ee87ba58f22addcc376f59210ff6eacd5ab979ba901f47501ef230281bbbbeff096a9de9a448dfaffca0f7c

Download Submit
C:\Windows\SysWOW64\xolehlpjh.tmp

Filesize
2.4MB

MD5
648d8bdf5c2086579c5299f5fcccea21

SHA1
1a3c3f223336be9b12791f25683b0b2e041e0fe5

SHA256
b1eb6564950e8677ba1dc5b59254f668cd7c65a884c49e5cb723338c3381770e

SHA512
0ea19424f323a02fb80cd1e0392b69243e71a47ec3b1bf49eb0e066e32b9593952ca92627a90409cd71b47cfc4693e432a8ccf625e8462bee7c2910a76530cf7

Download Submit
memory/2812-12-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2812-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download