bef7ea4833e21db94ddeb0366cfb65be3b4a909e322239483b17abf789b54f5f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b99ffe1c60aad510b24c0a2e39d43e_JaffaCakes118.exe
Size

147KB
MD5

66b99ffe1c60aad510b24c0a2e39d43e
SHA1

27716d003ffc0f94043f6419091b5c87951b2b73
SHA256

bef7ea4833e21db94ddeb0366cfb65be3b4a909e322239483b17abf789b54f5f
SHA512

8910aaea784a9fc34c756b39ccd1f18874c8146d8167e377bfa1235d296fda9c0dca6e3bf24643f2a5ef89d801dbdea2b415ceb3f78a69d0c923fbdbe216d2c4
SSDEEP

3072:2CMiqJl3v1S4AsvdhxBz8bNk/AKItB/pL/s9hlSLUFWzs:2CMzfM4vxBIO+XpDnUUzs

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2268	qrggcen.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\qrggcen.exe	66b99ffe1c60aad510b24c0a2e39d43e_JaffaCakes118.exe
File created	C:\PROGRA~3\Mozilla\zwjbghb.dll	qrggcen.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2268	2484	taskeng.exe	32
PID 2484 wrote to memory of 2268	2484	taskeng.exe	32
PID 2484 wrote to memory of 2268	2484	taskeng.exe	32
PID 2484 wrote to memory of 2268	2484	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\66b99ffe1c60aad510b24c0a2e39d43e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66b99ffe1c60aad510b24c0a2e39d43e_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
PID:1864

C:\Windows\system32\taskeng.exe
taskeng.exe {F14853D0-EA9A-43B9-9005-BA18E961DE98} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\PROGRA~3\Mozilla\qrggcen.exe
  C:\PROGRA~3\Mozilla\qrggcen.exe -cochpwl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\qrggcen.exe

Filesize
147KB

MD5
d4dfee6f30aab9e28a2f466adbadbe3e

SHA1
a21a30476e578c6aa002eeb1c6c8fbabba3194db

SHA256
440c4041793c2d3cf420fc2dcc13c56992a7e6ac3d91842d8e8ad563b7466337

SHA512
67f0ae05047fab32b3c5585df1b3051ec29d84bb336dc754b31ecf2afe45cee91d353be56d16d64aae9ff2ebdc11b3f859518a4fcbab549a725ecd77431433d4

Download Submit
memory/1864-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1864-1-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/1864-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2268-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2268-12-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/2268-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download