4adfdcb3d3fb5e4f7b95b3600ec6c3865462de19b46ef2c0ccd014db3dbb311b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
Size

12KB
MD5

fbaa0a3e6b5173986ee5302d0ed13079
SHA1

f858a1b988e717f099c34bae058302c96f28d649
SHA256

4adfdcb3d3fb5e4f7b95b3600ec6c3865462de19b46ef2c0ccd014db3dbb311b
SHA512

4c272ba192f938cacecd3506d4134f2ef72f59f8db17639acf6c56ba8a44e6eb83131a4398645ced3c19dfdc032d22be6cd0bdf2c50cc981a4a77cc9e221802f
SSDEEP

384:TSifIrO7k6zLoqupEaJpd5/k5jbDueeH2N0U03Y:WaAO5n+t5kueeHIEY

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 3 IoCs

pid	Process
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
1224	mduaeyk.exe
3028	mduaeyk.exe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LUOM = "C:\\Windows\\system32\\DLD.exe"	mduaeyk.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LUOM = "C:\\Windows\\system32\\DLD.exe"	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mduaey.dll	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mduaeyk.exe	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mduaeyk.exe	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mduaeyk.exe.exe	mduaeyk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3892	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe
3028	mduaeyk.exe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3892	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	84
PID 4252 wrote to memory of 3892	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	84
PID 4252 wrote to memory of 3892	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	84
PID 4252 wrote to memory of 1224	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	85
PID 4252 wrote to memory of 1224	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	85
PID 4252 wrote to memory of 1224	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	85
PID 1224 wrote to memory of 3028	1224	mduaeyk.exe	86
PID 1224 wrote to memory of 3028	1224	mduaeyk.exe	86
PID 1224 wrote to memory of 3028	1224	mduaeyk.exe	86
PID 4252 wrote to memory of 816	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	90
PID 4252 wrote to memory of 816	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	90
PID 4252 wrote to memory of 816	4252	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
  C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Windows\SysWOW64\mduaeyk.exe
  C:\Windows\system32\mduaeyk.exe ˜‰
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\mduaeyk.exe.exe
    C:\Windows\SysWOW64\mduaeyk.exe.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.bat
  2⤵
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.bat

Filesize
210B

MD5
b6d3abf79289fe5fd8de434094f6b7b8

SHA1
3da8345686b4850c261b5a27406e6fc740bc6bb1

SHA256
81a3b9e93e847d6d51c7875a570fa82127127edb402952b2039925d51f5a3348

SHA512
e86b63e5440db41ef8a2c874417fbcf0dfb4fe4961ff5477b77ab35317e08dcefdf6fefa38e090dd2102159697e2647a9c9f6885528c8683fa6ce137c6bf2f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe

Filesize
3KB

MD5
1bcf09f14702c9f68a88ffa073afa3d8

SHA1
cb62fc01ceb661bb64d1ac1fb81168f3b607744b

SHA256
a9bd6846e10adf9cfe498aaeb8bb48b729be3129f1fae50382d44dd9d1346cf4

SHA512
c90fab7882c136545e3c8d8dd8a9e1df4b42640f42c105f6ebb5be2a8f568a25972924389e6449f5d8c9f3f7d2e25ae6d6835ca92e4f13fdc7ef4a674b3be864

Download Submit
C:\Windows\SysWOW64\mduaeyk.exe

Filesize
12KB

MD5
fbaa0a3e6b5173986ee5302d0ed13079

SHA1
f858a1b988e717f099c34bae058302c96f28d649

SHA256
4adfdcb3d3fb5e4f7b95b3600ec6c3865462de19b46ef2c0ccd014db3dbb311b

SHA512
4c272ba192f938cacecd3506d4134f2ef72f59f8db17639acf6c56ba8a44e6eb83131a4398645ced3c19dfdc032d22be6cd0bdf2c50cc981a4a77cc9e221802f

Download Submit