f16e92033095c6b4ffe4e4e8b27377660b8ecbc538be5968ec0e08b6b501aefa

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 05:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
Size

201KB
MD5

f5216cb55c5ba5cd10ae7ce3b8b3b357
SHA1

a4fe9b476567ea0de8e30c00a982ade845ed7667
SHA256

f16e92033095c6b4ffe4e4e8b27377660b8ecbc538be5968ec0e08b6b501aefa
SHA512

9c6e256b3544a399fe3112b84ade808727686d9f947e6ffa3285843a6e4068157c6cc44681eede1e6bcd0857589009f08b32a8a4d49e221619acb1dc6228d8dc
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B8Etka4kgnC:o68i3odBiTl2+TCU/DtkVk8C

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon10.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\bugMAKER.bat	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\winhash_up.exez	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File opened for modification	C:\Windows\winhash_up.exez	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\winhash_up.exe	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 4196	4076	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe	91
PID 4076 wrote to memory of 4196	4076	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe	91
PID 4076 wrote to memory of 4196	4076	f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5216cb55c5ba5cd10ae7ce3b8b3b357_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat
  2⤵
  PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
90B

MD5
3fa60903e2ff01c567425a9811277b78

SHA1
b05e478c1543ae076bc386abcfa1e434433ecac6

SHA256
69e147f5d7cac0e1e4b97d082b013d71dae26e11dfa05332b69fa4b0d71c5907

SHA512
c18f2a76bc3d39f85e1369420bb235cc4d1c722817f50427c702a97979cd63f71947741d39958382349c6f79abcad60e1e346e78f05b49e451495d0ad9248229

Download Submit
memory/4076-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads