bcb12069fa4642c70bdff4ebc9914b320ab5ef69e5c29a5977cadde1911616ea

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 12:04

Target

f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
Size

256KB
MD5

f1038b7aabe27b028de4c551465b42db
SHA1

b9a4f6b6e331a7a26d34d8541f4eab9bc0b4d503
SHA256

bcb12069fa4642c70bdff4ebc9914b320ab5ef69e5c29a5977cadde1911616ea
SHA512

530d79ca878cddbae100d2cf5c535fd171df7539532d6dde5ad1672da87f0d4fac756b4d6b2f63b121d3032eac244551ff398fca495136b4746f5229c18f8f40
SSDEEP

3072:+AWs015MjEomM4U4mZI78aAVMlc8MF+dWcTU1hgdyoA4rFn/9ZRm/y70gqPY:i8viUo8a26FTuhgrtrFn/XwFdY

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\B831406A9770.dll	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\B831406A9770.dll	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\ = "fsvdf"	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ = "C:\\Windows\\Debug\\B831406A9770.dll"	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4152	3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe	91
PID 3040 wrote to memory of 4152	3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe	91
PID 3040 wrote to memory of 4152	3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe	91
PID 3040 wrote to memory of 464	3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe	100
PID 3040 wrote to memory of 464	3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe	100
PID 3040 wrote to memory of 464	3040	f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1038b7aabe27b028de4c551465b42db_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
42B

MD5
cf7bcbe57fc2b96996d02e0113884fa8

SHA1
720a2b3e3f31e784fe81e00bf1bd2cb5a87008b7

SHA256
02cc667f0d5cc77b63cfb64c72f394ee1bee8e68e9ed1f11d213db58974cbfa3

SHA512
f6b4299d924b1061777f18f2e8e908ed55a19eb0c01a80e737183d6e99a65f0229ca5aac610cc3594c477730790917acfdcd6809e54a10b7a03c9795b2dc0c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
53B

MD5
7dbd48da67b4a642a9fcadb0cfbde6d7

SHA1
ccf490e3c4f327f26bcbd37422d1d22f0bee221b

SHA256
608742819cd9756f08cbd23d27b979e95200805f442df9f45df7ae282b95fe20

SHA512
071c58ad74866f97f0461a07f70e7bb87d473d86f7b115050dc233e7d1c9ffc84c1c7de2c6bb71f1f2b005455b5e63af8b979637a7774694376e186f92937882

Download Submit
C:\Windows\debug\B831406A9770.dll

Filesize
187KB

MD5
1c787397c3064bbea1f406bfb4d27348

SHA1
88a50af875f08cd953381b4933eaf9cb8e15904d

SHA256
9636d8b27aaa81b447683cfd90d7896d65dd5dbcaf01cbd162948b29eae75ac1

SHA512
b44377a8761060cb06c575cd7262fef1f3e8daef5a63e9037ee225b4b63d4fa3330ccd932efd3be5fb987f249fbeffef66d2aa67e969f653cd0022c573f676c3

Download Submit
memory/3040-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-12-0x0000000002280000-0x00000000022B4000-memory.dmp

Filesize
208KB

Download
memory/3040-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-17-0x0000000002280000-0x00000000022B4000-memory.dmp

Filesize
208KB

Download