Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2024, 08:36

General

  • Target

    fc5aa1906a159ee13d37aab3986be6f2_JaffaCakes118.exe

  • Size

    459KB

  • MD5

    fc5aa1906a159ee13d37aab3986be6f2

  • SHA1

    33741d57ac6a5bb456a1a2b8e797a82fff7ba80d

  • SHA256

    5143c5e62c20e424a810bce1512e5feb7b156f9322f8256163ca3bf3f1988c79

  • SHA512

    d5e4e04ba7727af3e6dc81bf892d7666b5532310182d5d2e46e6eccdf7d15a67b388fd8db79f31693229a539a3124ad3f6e11b3417c10ff85642c2976698c5e8

  • SSDEEP

    12288:fNw8rpifjNpgiVwGd3RwnDowSbmoq4YrNw7Ef7qs9HGEXEx2ft7fTneSvG7tvH3s:LifjNp3Vw8RwnDowSbmoq42Nw7W739Hp

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 48 IoCs
  • Drops file in System32 directory 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc5aa1906a159ee13d37aab3986be6f2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc5aa1906a159ee13d37aab3986be6f2_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Installed Components in the registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4604
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:2784
    • C:\Windows\SysWOW64\scvhost.exe
      C:\Windows\system32\scvhost.exe C:\Users\Admin\AppData\Local\Temp\fc5aa1906a159ee13d37aab3986be6f2_JaffaCakes118.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3356
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:4048
      • C:\Windows\SysWOW64\scvhost.exe
        C:\Windows\system32\scvhost.exe C:\Windows\system32\scvhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\mswinsck.ocx

    Filesize

    105KB

    MD5

    9484c04258830aa3c2f2a70eb041414c

    SHA1

    b242a4fb0e9dcf14cb51dc36027baff9a79cb823

    SHA256

    bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

    SHA512

    9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

  • C:\Windows\SysWOW64\scvhost.exe

    Filesize

    459KB

    MD5

    fc5aa1906a159ee13d37aab3986be6f2

    SHA1

    33741d57ac6a5bb456a1a2b8e797a82fff7ba80d

    SHA256

    5143c5e62c20e424a810bce1512e5feb7b156f9322f8256163ca3bf3f1988c79

    SHA512

    d5e4e04ba7727af3e6dc81bf892d7666b5532310182d5d2e46e6eccdf7d15a67b388fd8db79f31693229a539a3124ad3f6e11b3417c10ff85642c2976698c5e8