ff7174e43019569d1174b91d7723b6e9e6704fda530556af68852cb4dcdb1838

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe
Size

801KB
MD5

1a2f1f0bb3014b6dc2e4cba0c38f3a3d
SHA1

eae4fb7d04d59d0a50762fc5f85884a38e7d74cb
SHA256

ff7174e43019569d1174b91d7723b6e9e6704fda530556af68852cb4dcdb1838
SHA512

b76b48a7802eb8edbffbb1188df0f80a47f8e4a5efb0dd676ee9809f30ddc37edf049bb949b1cd0d808e84d6034c47c0590405e149505c18a20b06ba20c37625
SSDEEP

24576:/c//////Af9RhVlO5KfQDRCDxEgkasgiOREXqaf7fs5qZFJ+:/c//////AfThvfY1CD6asg6XXfLdo

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

21.exean.exe

pid process

2520 21.exe
2552 an.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

3024 cmd.exe
2076 cmd.exe
3024 cmd.exe
2076 cmd.exe

pid	process
2520	21.exe
2552	an.exe

pid	process
3024	cmd.exe
2076	cmd.exe
3024	cmd.exe
2076	cmd.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\an.exe	vmprotect
behavioral1/memory/2552-14-0x0000000000400000-0x00000000005E5000-memory.dmp	vmprotect
behavioral1/memory/2552-15-0x0000000000400000-0x00000000005E5000-memory.dmp	vmprotect
behavioral1/memory/2552-32-0x0000000000400000-0x00000000005E5000-memory.dmp	vmprotect

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

an.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main an.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

an.exe

pid process

2552 an.exe
2552 an.exe
2552 an.exe
2552 an.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	an.exe

pid	process
2552	an.exe
2552	an.exe
2552	an.exe
2552	an.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 2992 wrote to memory of 2076	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2076	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2076	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 2076	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 3024	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 3024	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 3024	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 2992 wrote to memory of 3024	2992	1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe	cmd.exe
PID 3024 wrote to memory of 2552	3024	cmd.exe	an.exe
PID 3024 wrote to memory of 2552	3024	cmd.exe	an.exe
PID 3024 wrote to memory of 2552	3024	cmd.exe	an.exe
PID 3024 wrote to memory of 2552	3024	cmd.exe	an.exe
PID 2076 wrote to memory of 2520	2076	cmd.exe	21.exe
PID 2076 wrote to memory of 2520	2076	cmd.exe	21.exe
PID 2076 wrote to memory of 2520	2076	cmd.exe	21.exe
PID 2076 wrote to memory of 2520	2076	cmd.exe	21.exe

C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\\21.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\21.exe
C:\Users\Admin\AppData\Local\Temp\\21.exe
3⤵
- Executes dropped EXE
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\\an.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\an.exe
C:\Users\Admin\AppData\Local\Temp\\an.exe
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21.exe
Filesize
32KB

MD5
3411daacd28adcc3e8777df9f0e55b68

SHA1
f3caa6baf64a8c83d0c46a4d6df1e603911f9852

SHA256
41b5098d4d30c6888f70ccfb03c92595ffb846a87a00b7a202e8e7c0fe029e23

SHA512
e1888ad1e9e53bd148b47d498a62172a13752e61beebfcc74f0e7eb2f29037a72487937ce84d29b02bd7692f2afd606ca803fbd36873ae3a73e05e2e2430f730

Download Submit
\Users\Admin\AppData\Local\Temp\an.exe
Filesize
736KB

MD5
26618be6175e6ed1cc028978ba151495

SHA1
cb8b553bcffcb51bdce08ca3dca3200a8c8bcaec

SHA256
65c2c9086008da3d00e9574cdb9f7415e3f4f105d931531e65a89df63db0099f

SHA512
7d4bc1890f92065c84b60ab6bb48729d9730eef7a39ee937150582617bc3ed630e0fee9e350d6f3ef7b9032d11821b455c64d775b518b9eebd41446e1f097546

Download Submit
memory/2520-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2552-14-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2552-15-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2552-32-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2992-2-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3024-12-0x0000000002390000-0x0000000002575000-memory.dmp

Filesize
1.9MB

Download
memory/3024-13-0x0000000002390000-0x0000000002575000-memory.dmp

Filesize
1.9MB

Download