104cfc169567e06203a46f699c8b0249face8a47b213c1f4a8609bfef1b1569a

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 03:20

Target

584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
Size

72KB
MD5

584e10fd25ea48444ab5ea56ea34a461
SHA1

282a619b75a4e55e8579a10fcba8e32a3f9f40a2
SHA256

104cfc169567e06203a46f699c8b0249face8a47b213c1f4a8609bfef1b1569a
SHA512

86384b18b88de99a07b7c7453de045f342a9ea5da717bee2da1c8fe67354f08d84b6acd75eaadde51a7c2675bcaaa3760491bf775f31eddbfb707678bcdb1475
SSDEEP

1536:sWmLQLoXO5msms0sSvFNGwNDtpN0shO5msm:sWmSUTs0L/0hUT

Score

6^/10

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\chorion = "C:\\Users\\Admin\\forvarsl\\SPIDSART.exe"	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exeRegAsm.exe

pid process

3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
2452 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe

description pid process target process

PID 3068 set thread context of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe

pid process

3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe

pid process

3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
2452	RegAsm.exe

description	pid	process	target process
PID 3068 set thread context of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe

pid	process
3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe

pid	process
3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe

description	pid	process	target process
PID 3068 wrote to memory of 2464	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2464	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2464	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2464	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2464	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2464	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2464	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe
PID 3068 wrote to memory of 2452	3068	584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe"
2⤵
PID:2464

memory/2452-6-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/3068-2-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/3068-3-0x0000000077211000-0x0000000077312000-memory.dmp

Filesize
1.0MB

Download
memory/3068-4-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/3068-25-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/3068-26-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download