03780b831d73440886c6ed5d71c3c1c4eea293569d9c454372f959cc8aeb49fd

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
Size

106KB
MD5

9b12deefce1d5506012665df7f3ef103
SHA1

ec03f66334aff5d93e256baa9be3a79ce247b429
SHA256

03780b831d73440886c6ed5d71c3c1c4eea293569d9c454372f959cc8aeb49fd
SHA512

d43ae328960ee0f03a858cab28e2daf93437c1969bbd0fa4e2f1dcce5726b121b88c4b6189d1d6ed88aab77dc15210c66799128039110bcd37a90e4bc467b114
SSDEEP

768:jRbjxPZL4MvMrkbHwTN0GVQ+d4SeqzXf34BfW/PHA8zGesvEaApXwBDGRpn+tKg7:FjLjkr4Haboqz40/DzGeUEaHq0Hcd2

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ddkedeli = "C:\\Users\\Admin\\Preobed\\hemochroma.exe"	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exeRegAsm.exe

pid process

1896 9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
1928 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe

description pid process target process

PID 1896 set thread context of 1928 1896 9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe RegAsm.exe

description	pid	process	target process
PID 1896 set thread context of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe

pid	process
1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe

pid process

1896 9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe

description	pid	process	target process
PID 1896 wrote to memory of 2708	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2708	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2708	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2708	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2708	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2708	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2708	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 3024	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 3024	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 3024	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 3024	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 3024	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 3024	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 3024	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2080	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2080	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2080	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2080	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2080	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2080	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2080	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2944	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2944	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2944	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2944	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2944	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2944	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2944	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2476	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2476	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2476	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2476	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2476	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2476	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 2476	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe
PID 1896 wrote to memory of 1928	1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe"
2⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe"
2⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe"
2⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe"
2⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe"
2⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar32AB.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1896-2-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1896-3-0x0000000077241000-0x0000000077342000-memory.dmp

Filesize
1.0MB

Download
memory/1896-4-0x0000000077240000-0x00000000773E9000-memory.dmp

Filesize
1.7MB

Download
memory/1896-844-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1896-2825-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1928-6-0x0000000077240000-0x00000000773E9000-memory.dmp

Filesize
1.7MB

Download

pid	process
1896	9b12deefce1d5506012665df7f3ef103_JaffaCakes118.exe
1928	RegAsm.exe