3873779efe5c6e3c78e407e503f659acfa00be309cf00e3a60d79c72f9036ad6

Analysis

max time kernel
141s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe
Size

1.2MB
MD5

f3082350525da39f315e0bf3cc60fa7d
SHA1

01c90c940f86df0cc7704c206229f1162aabe64c
SHA256

3873779efe5c6e3c78e407e503f659acfa00be309cf00e3a60d79c72f9036ad6
SHA512

e1b59440d567707c3999fadcddec290717d2d4798a1dfe2b6bfcda83a90cbc6db8a03de7e94090751080463ea2cd588c2645c25c69afcb2f63eae3594baa6c9b
SSDEEP

24576:HdQlCPC8is3ZuA4BkSfaf6mfJ+VoOxsThKWJoGKcspMbB/hi:9QEfZul3fCfIVoOxqJVdAMblhi

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\PCenter\\sp.exe"	f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

ap.exe

pid process

1580 ap.exe
Loads dropped DLL 1 IoCs

Processes:

f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

pid process

1012 f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

pid	process
1580	ap.exe

pid	process
1012	f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ap.exe = "C:\\Users\\Admin\\AppData\\Roaming\\PCenter\\ap.exe"	f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

ap.exe

pid process

1580 ap.exe
1580 ap.exe
1580 ap.exe
1580 ap.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

ap.exe

pid process

1580 ap.exe
1580 ap.exe
1580 ap.exe
1580 ap.exe

pid	process
1580	ap.exe
1580	ap.exe
1580	ap.exe
1580	ap.exe

pid	process
1580	ap.exe
1580	ap.exe
1580	ap.exe
1580	ap.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe

description	pid	process	target process
PID 1012 wrote to memory of 1580	1012	f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe	ap.exe
PID 1012 wrote to memory of 1580	1012	f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe	ap.exe
PID 1012 wrote to memory of 1580	1012	f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe	ap.exe

C:\Users\Admin\AppData\Local\Temp\f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3082350525da39f315e0bf3cc60fa7d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Roaming\PCenter\ap.exe
C:\Users\Admin\AppData\Roaming\PCenter\ap.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso36FF.tmp\NSISdl.dll
Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Roaming\PCenter\ap.exe
Filesize
542KB

MD5
fc2660196af25e4ddd986204187600e2

SHA1
f09284c0c03c27c1de1bd88b14c20d7593ee3ef9

SHA256
c342d8d17e630c6aa13e485c18cc6e4fe4380c87dfdeee3e9007ce368784b8a8

SHA512
83aa6b0bfd95057341a3b8bd6ac4d5b58a789b7fdc4e9ced34b1f1a4a96a3e9b1ff2eb8318cd5f0024b757ca11b05b52cb636dfb43ebe42915ec6a2a931436d6

Download Submit
memory/1580-13-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1580-14-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1580-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download