3c36ab6f4024c791f5abcffc8a55ed75b7451ff65417a01fbe2e8f3239cd59a8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe
Size

245KB
MD5

64542e3ae75f2058ce47ceff0b5727ac
SHA1

a7d98d76a40a8dbe52083a2f523801c466fba490
SHA256

3c36ab6f4024c791f5abcffc8a55ed75b7451ff65417a01fbe2e8f3239cd59a8
SHA512

2369ba789370a9ddc9afeed6634c22a0d99386e733f0978e55d72a9fe8aa520b0a142b50e5c34d4fad382945f762691c10bdacd7e2bb3a59b16a2b0ec848aa31
SSDEEP

6144:wu2urzh9xu/XkaumetrU8oN/ZROAQJGjOYly:wutrzh9xOXk3dKROAQPYU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2836	i.exe
2624	dumpre.exe
2908	vmreg.exe

Loads dropped DLL 3 IoCs

pid	Process
2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe
2836	i.exe
2836	i.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\vmreg = "C:\\Users\\Admin\\AppData\\Roaming\\vmreg.exe"	vmreg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2836	2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2836	2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2836	2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2836	2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2836	2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2836	2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2836	2724	64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2624	2836	i.exe	31
PID 2836 wrote to memory of 2624	2836	i.exe	31
PID 2836 wrote to memory of 2624	2836	i.exe	31
PID 2836 wrote to memory of 2624	2836	i.exe	31
PID 2836 wrote to memory of 2624	2836	i.exe	31
PID 2836 wrote to memory of 2624	2836	i.exe	31
PID 2836 wrote to memory of 2624	2836	i.exe	31
PID 2836 wrote to memory of 2908	2836	i.exe	32
PID 2836 wrote to memory of 2908	2836	i.exe	32
PID 2836 wrote to memory of 2908	2836	i.exe	32
PID 2836 wrote to memory of 2908	2836	i.exe	32
PID 2836 wrote to memory of 2908	2836	i.exe	32
PID 2836 wrote to memory of 2908	2836	i.exe	32
PID 2836 wrote to memory of 2908	2836	i.exe	32

C:\Users\Admin\AppData\Local\Temp\64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64542e3ae75f2058ce47ceff0b5727ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\i.exe
  "C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\dumpre.exe
    "C:\Users\Admin\AppData\Local\Temp\dumpre.exe"
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\vmreg.exe
    "C:\Users\Admin\AppData\Local\Temp\vmreg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dumpre.exe

Filesize
142KB

MD5
0b394154ebd2203beb040384819f95f5

SHA1
e4941d116d8049849e3eee859756e797e2415ca9

SHA256
9f6b019f73dad051361a499886cead3767c10a51d035f5e40c9b65491a55ca54

SHA512
798a505e17adcaa9e65a20796fb1419248d50a16e379ced2af353fa82518aa7736e936156914468a3f4800e478fd3b4a3110750947196a5e97c7488401ff47aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmreg.exe

Filesize
99KB

MD5
37dcc449d703cd6e6886f70c8f6cbff7

SHA1
951227baf30ce76476f10f7759cf626aaad3a114

SHA256
4533780ef8afbc3573d608e1fb838df3e9ad1c459b592038edddb76bf7add2e5

SHA512
259b25e83accf25a73750d28527eb47f5ec5345da10d5d2f570452599652d38af2cc25d15beabc8e3bad94d0b44a8805fb63b39bb06c1f70ba318bf657708d56

Download Submit
\Users\Admin\AppData\Local\Temp\i.exe

Filesize
198KB

MD5
e8d2469bb884bc32e36711f8a5b06063

SHA1
7bfee9f755328db2040231cf5aff3d825b4461ae

SHA256
2879cd59a6f25f1bd40323b06d83b89362d81ecd01cd448e9b0f7728b7ae063b

SHA512
8556a520ea4bb06deb98a83a95a6fef48115419912b9be39c5bf56b60e7da549a755d2a7bcdb5c619de6352c3011820f899defc51bee564d49879ab1bc7db394

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads