7ce0525a030a7fb7fba58bb9a72afb50028918547ed203dc4cc30d8904a0e3d1

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe
Size

128KB
MD5

f2b7294aeb242d40da38e55432663699
SHA1

dbb891d0eefb6826e1477f363188366679b8adc8
SHA256

7ce0525a030a7fb7fba58bb9a72afb50028918547ed203dc4cc30d8904a0e3d1
SHA512

e1a0a25cbf7ef1221473d6033d49db5a4af5b71f13a83fa0306eeee555b48f4a295aabe388d6b0249ce7270081fb4a4608a55857128e776ac9cbe437b5973610
SSDEEP

3072:9Ybt6GNvYvwcz9gNvcMoY4sXDkOD6yM/w6:cNvYw9chY1YfyM/w6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1828	taskhost.exe
4904	taskhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 3432	2720	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	83
PID 1828 set thread context of 4904	1828	taskhost.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4524	2720	WerFault.exe	82
180	1828	WerFault.exe	86

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3432	2720	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	83
PID 2720 wrote to memory of 3432	2720	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	83
PID 2720 wrote to memory of 3432	2720	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	83
PID 2720 wrote to memory of 3432	2720	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	83
PID 2720 wrote to memory of 3432	2720	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	83
PID 3432 wrote to memory of 1828	3432	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	86
PID 3432 wrote to memory of 1828	3432	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	86
PID 3432 wrote to memory of 1828	3432	f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe	86
PID 1828 wrote to memory of 4904	1828	taskhost.exe	88
PID 1828 wrote to memory of 4904	1828	taskhost.exe	88
PID 1828 wrote to memory of 4904	1828	taskhost.exe	88
PID 1828 wrote to memory of 4904	1828	taskhost.exe	88
PID 1828 wrote to memory of 4904	1828	taskhost.exe	88

C:\Users\Admin\AppData\Local\Temp\f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f2b7294aeb242d40da38e55432663699_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:4904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 296
      4⤵
      Program crash
      PID:180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 296
  2⤵
  - Program crash
  PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2720 -ip 2720
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1828 -ip 1828
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
128KB

MD5
666bbb92dfd9fc9ab2e654e18dc4bc90

SHA1
9767d22ab5fba3cf381c3970cb3c277d261f6abe

SHA256
d20f7b770f1ffb1776fe22d134786e03c36d187b9ccfa3474a875df593ded4d8

SHA512
1ef1011f42f6bd81ab4656c073db7552dede6f018eb8938f886129aee5a21581fed3c3e28c947c504ce7fa449d1d809682b087f1de08c6de12245be8185c5f5d

Download Submit
memory/3432-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3432-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3432-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3432-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4904-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4904-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4904-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4904-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads