2a0801e65512fc6cd5fd144d99ae9ff916788f832a3f5172e75ba6f2e4b12bfb

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
Size

410KB
MD5

f94fb2d47d9c9e2f1f54e59ba7cd7a25
SHA1

d78493793f7be21a2dd3586c12040dea30d1aee3
SHA256

2a0801e65512fc6cd5fd144d99ae9ff916788f832a3f5172e75ba6f2e4b12bfb
SHA512

f20ec944743f4ef9f00dedc7872078e1c871ec0d6b485183f8955efeea27b405fe44f880cec5aae7e844b3570350dc4464c019e6a055141e8b807c1c3aa85743
SSDEEP

12288:QMJO2RPK8b/Wr2kbjaexIQqyeaOqVoYYuNtTird:DJO2Rf7IjUAeaOEoOTEd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

isass.exe

pid process

4916 isass.exe

pid	process
4916	isass.exe

Drops file in Windows directory 3 IoCs

Processes:

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\isass.exe	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
File opened for modification	C:\Windows\isass.exe	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

isass.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	isass.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	isass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exeisass.exe

description pid process

Token: SeDebugPrivilege 2488 f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
Token: SeDebugPrivilege 4916 isass.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

isass.exe

pid process

4916 isass.exe

description	pid	process
Token: SeDebugPrivilege	2488	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
Token: SeDebugPrivilege	4916	isass.exe

pid	process
4916	isass.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe

description	pid	process	target process
PID 2488 wrote to memory of 1052	2488	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2488 wrote to memory of 1052	2488	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe
PID 2488 wrote to memory of 1052	2488	f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f94fb2d47d9c9e2f1f54e59ba7cd7a25_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
2⤵
PID:1052

C:\Windows\isass.exe
C:\Windows\isass.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\isass.exe

Filesize
410KB

MD5
f94fb2d47d9c9e2f1f54e59ba7cd7a25

SHA1
d78493793f7be21a2dd3586c12040dea30d1aee3

SHA256
2a0801e65512fc6cd5fd144d99ae9ff916788f832a3f5172e75ba6f2e4b12bfb

SHA512
f20ec944743f4ef9f00dedc7872078e1c871ec0d6b485183f8955efeea27b405fe44f880cec5aae7e844b3570350dc4464c019e6a055141e8b807c1c3aa85743

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
f1f82545261495422916730198814a84

SHA1
3ce3cd5040fdf83841363a26da21836eaec77211

SHA256
78dea31d20c97d5932245719df6f3d68347bad7361fdfdd4090bd5fdacc3843c

SHA512
ed751d01fcec224d6c14ffb5c7e5302bacbeffe9a85119335c9c098e1ad000a220e779446346d57bbb9b59575ba28907a23b317b15da8f6bb3e2e9b3560956d2

Download Submit
memory/2488-4-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2488-17-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2488-0-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2488-5-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2488-6-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2488-9-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2488-2-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000002280000-0x00000000022C3000-memory.dmp

Filesize
268KB

Download
memory/2488-18-0x0000000002280000-0x00000000022C3000-memory.dmp

Filesize
268KB

Download
memory/2488-3-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4916-13-0x0000000000D00000-0x0000000000D43000-memory.dmp

Filesize
268KB

Download
memory/4916-14-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/4916-12-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4916-20-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4916-21-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download