a15cc67dcb1068b724ef60a7c8a23f0a2b91dfa6a9df5e20d432ce6cba3653a7

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe
Size

1000KB
MD5

f00adf0c45251b01f77919acec2f8e9d
SHA1

0bae2747f10a96da01914f3b61e0887c8a895ba6
SHA256

a15cc67dcb1068b724ef60a7c8a23f0a2b91dfa6a9df5e20d432ce6cba3653a7
SHA512

1a419033d5c0f115ddd74e2943ddc7a9a4dc0005327c5ab0c5bd3429a085ca220719309bc414a1ab8c540821496f826ee2146180bc47c4eda00bdb588867e683
SSDEEP

12288:aLMn6vyB/MD9um71L/GV3ZFxaqn1lrAI/Ws5PqBHTECaBwQ2tb5JLrnylUPqt0gD:9ayuDwsk3ZFKsII1B+5vMiqt0gj2ed

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	pastebin.com
28	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe
3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2664	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2664	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe
3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3144	2664	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe	85
PID 2664 wrote to memory of 3144	2664	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe	85
PID 2664 wrote to memory of 3144	2664	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe	85
PID 3144 wrote to memory of 4860	3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe	88
PID 3144 wrote to memory of 4860	3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe	88
PID 3144 wrote to memory of 4860	3144	f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f00adf0c45251b01f77919acec2f8e9d_JaffaCakes118.exe

Filesize
1000KB

MD5
4cf2360fa5deb8532a9404417ab9d123

SHA1
356f2648d1afc7f7663d68c2bb00e90f9bdc5855

SHA256
73199d460b2615fbab6082de8251d02521be2d0a9b80499a4249165784095ae9

SHA512
b628ade330acc0b8973540afa0954095f514bfff5fb86253c91067bf54e16cf83564ba5dc73a46f1367b3fa597c174b5bf8268ebe2b9ed8bd5fbd01b2be99cd2

Download Submit
memory/2664-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2664-1-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/2664-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2664-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3144-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3144-15-0x00000000015F0000-0x0000000001673000-memory.dmp

Filesize
524KB

Download
memory/3144-20-0x0000000004F60000-0x0000000004FDE000-memory.dmp

Filesize
504KB

Download
memory/3144-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3144-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download