3fcf616792ecfffc210495f2cab8d4964ca93f505ff8251f30b7a55eb926acf4

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 13:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe
Size

1000KB
MD5

f11f1472cc5db7022f90af2c3634c809
SHA1

7535fba252becd678109210d011f1526b8c86287
SHA256

3fcf616792ecfffc210495f2cab8d4964ca93f505ff8251f30b7a55eb926acf4
SHA512

b6403d48afc32c60893f9c725504549520dfe153f86b06d14444d6e2b4fe66023ca92550d2c5ef0ad1be0272d732ba954dfc47f3fce374dc4f05a8d983b05be7
SSDEEP

24576:0H1Khfp6ESE4VjsTtxBjNO2K1B+5vMiqt0gj2ed:l6xE4xsRnjNOhqOL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
16	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe
756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1708	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1708	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe
756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 756	1708	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe	85
PID 1708 wrote to memory of 756	1708	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe	85
PID 1708 wrote to memory of 756	1708	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe	85
PID 756 wrote to memory of 2024	756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe	89
PID 756 wrote to memory of 2024	756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe	89
PID 756 wrote to memory of 2024	756	f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f11f1472cc5db7022f90af2c3634c809_JaffaCakes118.exe

Filesize
1000KB

MD5
eaf1b8185c32b07947fa3987dbbcca13

SHA1
3960ecab5086f0c48d48cf8b119f277a2a601393

SHA256
5ee652a77b30266de21e14f395e8a79b7b03e4d562ce1d6c4001c30945230856

SHA512
1eccd48de46bcae11fe45fc46c761146169e3403a67df1fadee53d0645340d8d5d7c5dd9f40148b3448a5f03e85f819b96da75f474317a3b37161ccad857b619

Download Submit
memory/756-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/756-16-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/756-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/756-20-0x0000000004FC0000-0x000000000503E000-memory.dmp

Filesize
504KB

Download
memory/756-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1708-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1708-1-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/1708-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1708-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download