a423193c571a7726f20bcd42e9c9658cbaaf36237ecbfb8b70ca00f2aea4d65d

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Size

10KB
MD5

f8a154521bd546c4a2e9704f63def716
SHA1

89c24d1f3043b5891a494b0e8b3f422642b0ac7e
SHA256

a423193c571a7726f20bcd42e9c9658cbaaf36237ecbfb8b70ca00f2aea4d65d
SHA512

d308a0b06695a1f0c92c1424bd5fa83dac8b242d2a8feced95607301f8cd73d4f75c2828ee61b97f7327a76a116ddd65b7d112efe622425e8f7ae70eed8400a7
SSDEEP

192:m8sc7GOuYqBAo+0Q2kn+AhoXUgzaUGJDqhEGk5NLpoBYswx58b0UHW:m8f7GOuZljkn+A+aJDWEGUpsM5JYW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DLMon = "{590498A3-4131-4D8F-BA4B-36791A0803B1}"	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DLMain.dll	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DLMain.dll	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1}\InprocServer32	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1}	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1}\InprocServer32\ = "C:\\Windows\\SysWow64\\DLMain.dll"	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{590498A3-4131-4D8F-BA4B-36791A0803B1}\InprocServer32\ThreadingModel = "Apartment"	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1276	2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe	21
PID 2128 wrote to memory of 3016	2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe	28
PID 2128 wrote to memory of 3016	2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe	28
PID 2128 wrote to memory of 3016	2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe	28
PID 2128 wrote to memory of 3016	2128	f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f8a154521bd546c4a2e9704f63def716_JaffaCakes118.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F8A154~1.EXE > nul
    3⤵
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2128-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2128-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2128-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download