817e85ca4fddb19755670848abfd2dbdb943b5963cb6b58f8234b5f450e38e84

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 23:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe
Size

587KB
MD5

fde8b793c9a5c5833ea99ed1aa5c6f4c
SHA1

3a04f52b648801331b887ba8031d0455f54f2c8e
SHA256

817e85ca4fddb19755670848abfd2dbdb943b5963cb6b58f8234b5f450e38e84
SHA512

457c8b9915e60e29c7576a64a3d6838f9d6cad2925fc8162cb9bd10411143fb2f26223e6615c2444cbd6194db17e68169d65669d40d4e550d84c89646d740997
SSDEEP

12288:tthN4o1mIIWKd2QAPJtMPo/aiOHETa/I19mX8:t/6o9IWK8IPG8HEe/I1ks

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe"	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\IESettingSync	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe
2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1732	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	89
PID 2348 wrote to memory of 1732	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	89
PID 2348 wrote to memory of 1732	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	89
PID 2348 wrote to memory of 64	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	93
PID 2348 wrote to memory of 64	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	93
PID 2348 wrote to memory of 64	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	93
PID 2348 wrote to memory of 2564	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	99
PID 2348 wrote to memory of 2564	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	99
PID 2348 wrote to memory of 2564	2348	fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fde8b793c9a5c5833ea99ed1aa5c6f4c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping_www.antekecrew.net_-t
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping_www.antekecrew.net_-t
  2⤵
  PID:64
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping_www.antekecrew.net_-t
  2⤵
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-0-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2348-30-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2348-31-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads