d684e74f9ff79a749c66b5f33afc74db4e664374f6ce5567c618c156df16bd13

Analysis

max time kernel
140s
max time network
134s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe
Size

128KB
MD5

6446f82364e4c85e9139b0999e365648
SHA1

770283ade7d3703ed37eaed29d87844578b44910
SHA256

d684e74f9ff79a749c66b5f33afc74db4e664374f6ce5567c618c156df16bd13
SHA512

ef7f572723b40d9d25b93762c31f79fd1aa83ab00d5bff454762938eb913eacb1e2cdc0bac5a8b07fde68c57aff8df22f069cd3d782324d17b0016558a749f01
SSDEEP

3072:LGsTooyT9fA8T6G+RZIdBIMoFCSzqrBxH:LGqooyZfAY6LWBYzz+Bx

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winet\Parameters\ServiceDll = "C:\\Windows\\system32\\winnet.dll"	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2284	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe
2236	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winnet.dll.uns	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winnet.dll.uns	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winnet.dll	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winnet.dll	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1864	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe
2236	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2284	1864	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe	31
PID 1864 wrote to memory of 2284	1864	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe	31
PID 1864 wrote to memory of 2284	1864	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe	31
PID 1864 wrote to memory of 2284	1864	6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6446f82364e4c85e9139b0999e365648_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelEx.bat" "
  2⤵
  - Deletes itself
  PID:2284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelEx.bat

Filesize
260B

MD5
0c6d9f0928880de1342d4174b5bc49ed

SHA1
c35e750f92bb7e6948c5cae10649bf36b15b6bec

SHA256
7541d4b819780e554ee8021da05bc94be35c0dc57a0dc0ab9efd998164759bc8

SHA512
f5c645af8780a5355586ce087214a5c7ce69f36e47b10089d281a607b0e9cb932fa6487e6990d8d3ebe2d1724622424291230f31e0427b8ff96e768c4f1fe3c0

Download Submit
\Users\Admin\AppData\Local\Temp\KKK.dll

Filesize
110KB

MD5
62a1f2d50285271ebdd28e4630a54819

SHA1
7e31b421249e67a65aa4f988353c9320be994fad

SHA256
daa49809028db0d295126071b3febaf3312bbcf436a5651a9a5ea06c6a0b5e56

SHA512
cd8eecbd03b9812c4c6c11c3ccb915593ddefd010f3dee45db504f90795b26d168aa45f3f8873cbdaba29855988c420cd58ca8ea9568863c36f211ae83417536

Download Submit
memory/1864-3-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/1864-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1864-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-12-0x0000000000150000-0x0000000000173000-memory.dmp

Filesize
140KB

Download
memory/2236-24-0x0000000000150000-0x0000000000173000-memory.dmp

Filesize
140KB

Download
memory/2236-26-0x0000000000150000-0x0000000000173000-memory.dmp

Filesize
140KB

Download
memory/2236-32-0x0000000000150000-0x0000000000173000-memory.dmp

Filesize
140KB

Download