a6bed90d3d2a1c7657958e188fd423c3e4cc20a0ba15671e76232f492a2ced53

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe
Size

18KB
MD5

fcdecc1ecfb121c33ca69c27c4249bae
SHA1

d02ef35e5a85717e5218b2dd47797819d01dd906
SHA256

a6bed90d3d2a1c7657958e188fd423c3e4cc20a0ba15671e76232f492a2ced53
SHA512

fed8c1e8ef447333f2ae4e69dad6f28c8fafd48d2ba9c1d251e7f99d9d59b84e3da7185dbcfa79abaf0d997ec7af103627275dec89e7618a872b558d27a9d115
SSDEEP

384:2uDVkmETGuyf1Xql3B4KngD0LJLRdvS8W:CmETGuy9XE4K4eS8

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1092	cmdbcs.exe

Executes dropped EXE 1 IoCs

pid	Process
1092	cmdbcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmdbcs = "C:\\Windows\\cmdbcs.exe"	cmdbcs.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cmdbcs.dll	cmdbcs.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cmdbcs.exe	fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe
File opened for modification	C:\Windows\cmdbcs.exe	fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1092	cmdbcs.exe
1092	cmdbcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe
Token: SeDebugPrivilege	1092	cmdbcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1092	4448	fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe	86
PID 4448 wrote to memory of 1092	4448	fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe	86
PID 4448 wrote to memory of 1092	4448	fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe	86
PID 1092 wrote to memory of 3496	1092	cmdbcs.exe	56
PID 1092 wrote to memory of 3496	1092	cmdbcs.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\cmdbcs.exe
    C:\Windows\cmdbcs.exe @C:\Users\Admin\AppData\Local\Temp\fcdecc1ecfb121c33ca69c27c4249bae_JaffaCakes118.exe@4448
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmdbcs.exe

Filesize
18KB

MD5
fcdecc1ecfb121c33ca69c27c4249bae

SHA1
d02ef35e5a85717e5218b2dd47797819d01dd906

SHA256
a6bed90d3d2a1c7657958e188fd423c3e4cc20a0ba15671e76232f492a2ced53

SHA512
fed8c1e8ef447333f2ae4e69dad6f28c8fafd48d2ba9c1d251e7f99d9d59b84e3da7185dbcfa79abaf0d997ec7af103627275dec89e7618a872b558d27a9d115

Download Submit