bb09c951e1594b3a2da7ca435ba693d419e84029f8d32e3dabc73aebb5b35e34

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe
Size

241KB
MD5

ffabf4729a35631969269c6a7f4568cb
SHA1

5cbe02068968110acf064f7ea6a76a9404985263
SHA256

bb09c951e1594b3a2da7ca435ba693d419e84029f8d32e3dabc73aebb5b35e34
SHA512

7c025e582a49395b4c78126919f7a86866aee10b309b3d15b8d8de50e1860140268a885165a0aca7beeeb312dcaa16a6abc137fd8bfc5d87fb585ea476256547
SSDEEP

6144:F9tGyuXd9TpU71a1jKutzauuobIta+EHOMRPleN7+11uU:FjFuX7i71AKutzauBwamMPuU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
47	pastebin.com
132	pastebin.com
137	pastebin.com
199	pastebin.com
200	pastebin.com
20	pastebin.com
37	pastebin.com
164	pastebin.com
203	pastebin.com
209	pastebin.com
59	pastebin.com
76	pastebin.com
150	pastebin.com
177	pastebin.com
196	pastebin.com
49	pastebin.com
71	pastebin.com
185	pastebin.com
198	pastebin.com
206	pastebin.com
194	pastebin.com
202	pastebin.com
210	pastebin.com
26	pastebin.com
34	pastebin.com
143	pastebin.com
160	pastebin.com
193	pastebin.com
211	pastebin.com
207	pastebin.com
166	pastebin.com
176	pastebin.com
179	pastebin.com
62	pastebin.com
68	pastebin.com
103	pastebin.com
127	pastebin.com
133	pastebin.com
192	pastebin.com
201	pastebin.com
124	pastebin.com
131	pastebin.com
149	pastebin.com
158	pastebin.com
191	pastebin.com
204	pastebin.com
205	pastebin.com
87	pastebin.com
129	pastebin.com
180	pastebin.com
184	pastebin.com
195	pastebin.com
40	pastebin.com
134	pastebin.com
189	pastebin.com
90	pastebin.com
125	pastebin.com
186	pastebin.com
197	pastebin.com
52	pastebin.com
159	pastebin.com
187	pastebin.com
190	pastebin.com
94	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe
5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
640	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
640	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe
5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 5084	640	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe	84
PID 640 wrote to memory of 5084	640	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe	84
PID 640 wrote to memory of 5084	640	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe	84
PID 5084 wrote to memory of 1016	5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe	88
PID 5084 wrote to memory of 1016	5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe	88
PID 5084 wrote to memory of 1016	5084	ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffabf4729a35631969269c6a7f4568cb_JaffaCakes118.exe

Filesize
241KB

MD5
5c7e1c021f8c6daffafc2b7a6bad14ac

SHA1
a7f1bf5a7a3dc6b06494342df3354159005fdbf5

SHA256
f205ef766259c845edc69dd8bb0171c137a8d09b2f5ad2adafd1948682d609d7

SHA512
9a1b39b18d4bde92378954e35cc740568acb9bd1b97579292f24214bf044a843fa58244e9442040e45aaf9121cd96c1ba70b86da0109b69eef55064657028a7f

Download Submit
memory/640-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/640-1-0x00000000016C0000-0x0000000001777000-memory.dmp

Filesize
732KB

Download
memory/640-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/640-11-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5084-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5084-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5084-16-0x00000000016E0000-0x0000000001797000-memory.dmp

Filesize
732KB

Download
memory/5084-21-0x0000000002800000-0x0000000002866000-memory.dmp

Filesize
408KB

Download
memory/5084-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download