f6c2428ba8dc7771b497c0d01856be5dc4964d1a593e86fb905ce050b4e4b4cf

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f478ab4c7867a71ed3c659f7fabd7fe0_JaffaCakes118.exe
Size

6.1MB
MD5

f478ab4c7867a71ed3c659f7fabd7fe0
SHA1

788609fe9f081d526d41e94218d8007364a44d85
SHA256

f6c2428ba8dc7771b497c0d01856be5dc4964d1a593e86fb905ce050b4e4b4cf
SHA512

a7c58af5e5344701e299307a51a321f8a998d2fc9b074e734e441a8099b257e1f47ab08eabb13e53a0ce7a5ebeed5fffc28aca44ab5d6c3bc393f87631d98034
SSDEEP

98304:qHR5f4S5otAn4uIqf/Ej/xlbAwgqrbA+PD675yVGwYJwbtUTMRFt:URSqotTdAwgqbzPDm+GJW+QLt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1252	setup.exe
1672	is-SKO0F.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f478ab4c7867a71ed3c659f7fabd7fe0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1252	2568	f478ab4c7867a71ed3c659f7fabd7fe0_JaffaCakes118.exe	85
PID 2568 wrote to memory of 1252	2568	f478ab4c7867a71ed3c659f7fabd7fe0_JaffaCakes118.exe	85
PID 2568 wrote to memory of 1252	2568	f478ab4c7867a71ed3c659f7fabd7fe0_JaffaCakes118.exe	85
PID 1252 wrote to memory of 1672	1252	setup.exe	87
PID 1252 wrote to memory of 1672	1252	setup.exe	87
PID 1252 wrote to memory of 1672	1252	setup.exe	87

C:\Users\Admin\AppData\Local\Temp\f478ab4c7867a71ed3c659f7fabd7fe0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f478ab4c7867a71ed3c659f7fabd7fe0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\is-PL6EL.tmp\is-SKO0F.tmp
    C:\Users\Admin\AppData\Local\Temp\is-PL6EL.tmp\is-SKO0F.tmp /SL4 $F0068 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe 7561514 68096
    3⤵
    - Executes dropped EXE
    PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Filesize
7.5MB

MD5
9c6a9fe8ca0182451e6473118483ac52

SHA1
a4db98a7c398716af6e5cbb0522c03005cfd198d

SHA256
e538b8f4af6d4d76a4a9ec00ff2b275cdc1539a104d85e95915907535e258046

SHA512
927aafb4afc8d90df4b0b7cb11b601a8445f0f8eb02dd4a55a5d4468320f004dd7c76a35d6787f127631bf246ddddcf97ad0cfc10016dfd734c988517a1fddf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PL6EL.tmp\is-SKO0F.tmp

Filesize
550KB

MD5
f8af304447fc04618285f448d0651220

SHA1
ec2dd2c8b931501f977eefef5449b37373734415

SHA256
f0678194ef4b80ed8ec73ef78e5dff621c2602df47fb90e43800b6ab30c33d59

SHA512
c2e4cca9a38c8a5616936b2c643596c6125782bf32619eb9e890f9a7b4a293504151b22478e308656f43fc30e7ba4d9859e1a8ac1aba5e72169b8ded7cf39289

Download Submit
memory/1252-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1252-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1672-12-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1672-16-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1672-19-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads