d36bc355f69f8113eccb71c17216cc8432bc6c256ba0e0eb5d7bc5f159c800b6

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe
Size

282KB
MD5

f22ccf86f80de057971c6bff081a8b78
SHA1

56faccb9253aedb7f4a809649cecfb8ad5ae4ddf
SHA256

d36bc355f69f8113eccb71c17216cc8432bc6c256ba0e0eb5d7bc5f159c800b6
SHA512

37c3f1ff2217de9234071365cbb45aaec5df5253dc3797e508c5b4eb61a3cfac5171fc5a754548c619ed512979e8fb6808c23e6ec0d614a2e5332cc436b932c9
SSDEEP

6144:2uYZ1t26fPAAYjH6i0OyxFG0JXsio3qm9pRH:1G1tnnYBTyAjH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2264	kaka.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	kaka.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	kaka.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	kaka.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	kaka.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\kaka.exe	f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe
File opened for modification	C:\Windows\system\kaka.exe	f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	kaka.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	kaka.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	kaka.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kaka.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kaka.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kaka.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kaka.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kaka.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe
Token: SeDebugPrivilege	2264	kaka.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2264	kaka.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2120	2264	kaka.exe	88
PID 2264 wrote to memory of 2120	2264	kaka.exe	88
PID 208 wrote to memory of 3888	208	f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe	94
PID 208 wrote to memory of 3888	208	f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe	94
PID 208 wrote to memory of 3888	208	f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f22ccf86f80de057971c6bff081a8b78_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:3888

C:\Windows\system\kaka.exe
C:\Windows\system\kaka.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\kaka.exe

Filesize
282KB

MD5
f22ccf86f80de057971c6bff081a8b78

SHA1
56faccb9253aedb7f4a809649cecfb8ad5ae4ddf

SHA256
d36bc355f69f8113eccb71c17216cc8432bc6c256ba0e0eb5d7bc5f159c800b6

SHA512
37c3f1ff2217de9234071365cbb45aaec5df5253dc3797e508c5b4eb61a3cfac5171fc5a754548c619ed512979e8fb6808c23e6ec0d614a2e5332cc436b932c9

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
9fc539d008e1c2bfe3805ad8699902e1

SHA1
641f0921297a8af704bb37661e12deb6c7ad0ec6

SHA256
710bcf6359df5a612237b6bff28addda7dec8fb0da73b0e81735e4214eeb54a6

SHA512
d0db37620f15f5e5ae0c427b910ea9407ac57e96a335f9d4484044d9ffe15657da794d79f87116d78287d6ed350976e29632015a75627450be49a3806744e001

Download Submit
memory/208-0-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/208-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/208-2-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/208-11-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2264-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2264-8-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2264-13-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2264-14-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2264-15-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download