bcb0a41963c0baddfbc72ade7382ae8f5ec039c1439c71cc8d96f30b8656f519

Analysis

max time kernel
85s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Size

15KB
MD5

f3e75c94de3c8fbd9a057c63f7ce0062
SHA1

8bc106204f4792b6fc25af00d6eac1908dfaad1b
SHA256

bcb0a41963c0baddfbc72ade7382ae8f5ec039c1439c71cc8d96f30b8656f519
SHA512

7338d6050c05bb5cafac45ce9b5817caa2e0bbaad268c30c52e07bf749bd93be7ecbd5448283bcf98d2d079b4dc68d63f09f75d1424b4c4a0578c2eec39639d9
SSDEEP

384:ty/TOFJLcl399gCERlNT+mZXgRiUC9ywO5jYl1aXY+ne:ty/TQml8bRlNvQwUC9UjYl8e

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{00250025-0025-0025-0025-00250025BB15}"	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\slbiopfs2.tmp	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.tmp	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.nls	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll"	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32\ThreadingModel = "Apartment"	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1528	1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe	95
PID 1556 wrote to memory of 1528	1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe	95
PID 1556 wrote to memory of 1528	1556	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\414A.tmp.bat
  2⤵
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\414A.tmp.bat

Filesize
207B

MD5
f842398883950acf17cfd5f3c23e7969

SHA1
321fb6b59728198d69364e63465941e2c841b14c

SHA256
13ee45ba32418f13665d8c72597b69eae774ba021feda02d60e85b5717268cc5

SHA512
56b6116cf09d64884f5174281a0e0f28f45af18a2f70767485eb32e3181a6d7643910fdabd89ac471119f4b75d7b997755344f5cebdb38b1427215d09bf2f46e

Download Submit
C:\Windows\SysWOW64\slbiopfs2.nls

Filesize
428B

MD5
2fac5903c986ca533a9573420c1c77de

SHA1
928923bf5e601a51ff636878594852d3fd432080

SHA256
3f691192c74a1cc8af639ab8136fa097a21ffc8c7dbd00c555ebcb7ffac66f27

SHA512
54727f7dc12927955fff9c0b9dcf404d39889a21c7f48d5f55d348aa2876b2279539f330124f6299223edca358a7f90cda8f3dfb46a39f05cfff09f5a7234d58

Download Submit
C:\Windows\SysWOW64\slbiopfs2.tmp

Filesize
963KB

MD5
5dd9eb70c15da321d4ab9e7c89696e8e

SHA1
b932e5f8806bf034c85fc9dd1fb8426491baf456

SHA256
ac952d3362ed3b7e8fa081e338568c29ea197eec11a30e45ea2f72872cabee5b

SHA512
bc6f64db127c4ae84fab44ba6f29a2e324aecdc9b7c14830c81e4a9e76a175e6aadff2e4183f3475b13f04a5a6adcffbf886fdf4de17ee1c065d1ee14a135a1d

Download Submit
memory/1556-17-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download
memory/1556-21-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download