Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe
Resource
win7-20240419-en
8 signatures
150 seconds
General
-
Target
202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe
-
Size
136KB
-
MD5
202fb69734e0eb9213156f79bcbe79cd
-
SHA1
ee8bc656418710f738b4ef1bb565d4e3df21b27a
-
SHA256
1b1d08ba5c9ab42ea4473383c30651c7283aca95e6bde0aa6c613a4eb9ba014b
-
SHA512
920e1bbf1a2e1cc6d80a8123e209ac7e60a8e5fb6defc2dfa55dde85f930559e655586a047838e059fe301bd3c33307e97a30efcb80e830a1143ddec74cfbf0a
-
SSDEEP
3072:hvTW661letEoocz4plCCCf30z+Co5wJ3g9:hvTa6EooXCCCfkz+CD
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
portaldma.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat portaldma.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
portaldma.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\5e-5f-bb-a7-bd-40 portaldma.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40\WpadDecisionReason = "1" portaldma.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40\WpadDecision = "0" portaldma.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix portaldma.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86} portaldma.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadDecisionReason = "1" portaldma.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings portaldma.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" portaldma.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad portaldma.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 portaldma.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections portaldma.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" portaldma.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" portaldma.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 portaldma.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadDecisionTime = 60da347fa4ccda01 portaldma.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadDecision = "0" portaldma.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadNetworkName = "Network 3" portaldma.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40 portaldma.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 portaldma.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings portaldma.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40\WpadDecisionTime = 60da347fa4ccda01 portaldma.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
portaldma.exepid process 2676 portaldma.exe 2676 portaldma.exe 2676 portaldma.exe 2676 portaldma.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exepid process 2680 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exeportaldma.exeportaldma.exepid process 1760 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe 2680 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe 2664 portaldma.exe 2676 portaldma.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exeportaldma.exedescription pid process target process PID 1760 wrote to memory of 2680 1760 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe PID 1760 wrote to memory of 2680 1760 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe PID 1760 wrote to memory of 2680 1760 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe PID 1760 wrote to memory of 2680 1760 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe 202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe PID 2664 wrote to memory of 2676 2664 portaldma.exe portaldma.exe PID 2664 wrote to memory of 2676 2664 portaldma.exe portaldma.exe PID 2664 wrote to memory of 2676 2664 portaldma.exe portaldma.exe PID 2664 wrote to memory of 2676 2664 portaldma.exe portaldma.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\202fb69734e0eb9213156f79bcbe79cd_JaffaCakes118.exe--578aa5112⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\portaldma.exe"C:\Windows\SysWOW64\portaldma.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\portaldma.exe--806b0b822⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1760-0-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/1760-1-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1760-3-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/2664-6-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2676-10-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2676-11-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2676-12-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2676-13-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2680-4-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2680-5-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2680-9-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB