Analysis
-
max time kernel
156s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
21/04/2024, 12:46
General
-
Target
ff4ead85d03c52f368ba833d9dc58d01_JaffaCakes118.dll
-
Size
670KB
-
MD5
ff4ead85d03c52f368ba833d9dc58d01
-
SHA1
4ad6da8977108452584c4bc6191f0d91ad3ff94b
-
SHA256
2dff68623defa4edb64b514ec769e9ff3448b3ae1c0768e784cd305bfce2f91c
-
SHA512
f4019d6a7cbdaa5ae66dcee8bd44b13fed9899392030cf189f4a05a6c230188829926b658a75e2bab48635006491db4aceb605ef7ef6b5f81c2cf261aa0fcf9f
-
SSDEEP
6144:DRD4MlqMABEN37jt9ZA3H8DaLCw0w6LhMA8aF8pVqEDFqf1b/3C:DRZQOrcHwwH6tMzaFg8EDcf1r3C
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff4ead85d03c52f368ba833d9dc58d01_JaffaCakes118.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\ApproveChildRequest.exeC:\Windows\system32\ApproveChildRequest.exe1⤵
-
C:\Windows\system32\AssignedAccessGuard.exeC:\Windows\system32\AssignedAccessGuard.exe1⤵
-
C:\Windows\system32\ntprint.exeC:\Windows\system32\ntprint.exe1⤵
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\OkMJ.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"2⤵
-
-
C:\Windows\system32\fixmapi.exeC:\Windows\system32\fixmapi.exe1⤵
-
C:\Windows\system32\gpscript.exeC:\Windows\system32\gpscript.exe1⤵
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\KWot.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
675KB
MD5f9918a4bb9adcb48fffb20a8fa1178fd
SHA173058ba6d52729cad2225f7c476701b2a6f5dd67
SHA2560d15444c586679f96efa62bb12ff1043d0640b5d99106e72ef96de6ae4e192d3
SHA5123558805eec092a455ba06264dfb8c79d7ad345908e5fe115bd0fb8e3fe83d305c5821af8efd6aa18c62678d07b96fcf6d69f39a79f906d1e7be900bb0409f63e
-
Filesize
198B
MD54db23e984a3216e30ba432deebcb457b
SHA187df4473fa88291f15b2876f038ef0a40c98ef51
SHA256052686cae70c4342e0a0740a28888ec6e5492bf608d8ac7e0aa3edc569436599
SHA512f618a9554f36f565dbd68ed253f432b757d63a6a6d863228bd78aa3c5f2ab63d98e9dc2015ac0b9a779349ba8fe4f791e8f3320b35aff13e797f2b9a66bd42f8
-
Filesize
237B
MD526da540432d3e2552ab17ca17db44bfe
SHA10614367c4319e39fa431f2cec77ca683d311e151
SHA25643e15969c15d06a2ab89f601da9f53bef97c9be91c2e22fc8671fc89064965a4
SHA51265e6276bdfec4df36fa4f192925908b722764651293b8c868686cec5f6e93e6fcdba223cbb16201b06b27d02fd63fda4be1325d25de2cf77f67d3558d039d12d
-
Filesize
947KB
MD5bca442a12be398d16744f8727f8a3f2b
SHA18c4bfff52d32d78c64b79037bb1356549c2f8ec4
SHA256e73955728c9a1e7ccfdab2724206584adea4818d5d0a5937c26a1f9a186ff189
SHA51231741ce1a94caf1b196817bbb1cf633f03d1588e14fa0bf1aa060c80705477f882a4b99af5e965ebf9943ac3055abb293e1125494f560f6345945b219d6c1268
-
Filesize
938B
MD5fdb79ad6213b23566abef0350eaf870a
SHA19b9fb2e2dd128a6a483886c872f6f87001a852b9
SHA256163459fec075dcc60e2df98bed4834594cc354dc9f439b0247b3d3c12ce4e026
SHA512399631db693dc2ce31b7a4881f49c884e4ace00f5b41c1feee4a341a8f067073303ef6bff46188eebcca410e7a5583d875dc5386c860b82e11aacc971def3bce
-
Filesize
373KB
MD5601a28eb2d845d729ddd7330cbae6fd6
SHA15cf9f6f9135c903d42a7756c638333db8621e642
SHA2564d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA5121687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
12KB