cb0168111793bf5b718c09522e98c258a55038ecf801ec1ca81621f77fa0e3dd

Analysis

max time kernel
133s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aaaa4f6eb0e7f4f2d497f3a2edf1260_JaffaCakes118.exe
Size

338KB
MD5

3aaaa4f6eb0e7f4f2d497f3a2edf1260
SHA1

a6633c2d8f16ef27bb73f3a99caeaffab5e708f6
SHA256

cb0168111793bf5b718c09522e98c258a55038ecf801ec1ca81621f77fa0e3dd
SHA512

159044de7ac6bc856986e390ac2796077d079c0a7950f25c092e1c80ce013a14e8089980b7b15af8ee4b2ab7501e5b6a1688ae5a8f730cd578524aef65767633
SSDEEP

3072:StwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwKbk0i0iq+:muj8NDF3OR9/Qe2HdJfwKbk0i0iL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2576	casino_extensions.exe
5008	Casino_ext.exe
4732	casino_extensions.exe
3756	Casino_ext.exe
1228	LiveMessageCenter.exe
4680	casino_extensions.exe
2000	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5008	Casino_ext.exe
5008	Casino_ext.exe
3756	Casino_ext.exe
3756	Casino_ext.exe
1228	LiveMessageCenter.exe
1228	LiveMessageCenter.exe
2000	Casino_ext.exe
2000	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1792	3aaaa4f6eb0e7f4f2d497f3a2edf1260_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3416	1792	3aaaa4f6eb0e7f4f2d497f3a2edf1260_JaffaCakes118.exe	83
PID 1792 wrote to memory of 3416	1792	3aaaa4f6eb0e7f4f2d497f3a2edf1260_JaffaCakes118.exe	83
PID 1792 wrote to memory of 3416	1792	3aaaa4f6eb0e7f4f2d497f3a2edf1260_JaffaCakes118.exe	83
PID 3416 wrote to memory of 2576	3416	casino_extensions.exe	84
PID 3416 wrote to memory of 2576	3416	casino_extensions.exe	84
PID 3416 wrote to memory of 2576	3416	casino_extensions.exe	84
PID 2576 wrote to memory of 5008	2576	casino_extensions.exe	85
PID 2576 wrote to memory of 5008	2576	casino_extensions.exe	85
PID 2576 wrote to memory of 5008	2576	casino_extensions.exe	85
PID 5008 wrote to memory of 2132	5008	Casino_ext.exe	86
PID 5008 wrote to memory of 2132	5008	Casino_ext.exe	86
PID 5008 wrote to memory of 2132	5008	Casino_ext.exe	86
PID 2132 wrote to memory of 4732	2132	casino_extensions.exe	87
PID 2132 wrote to memory of 4732	2132	casino_extensions.exe	87
PID 2132 wrote to memory of 4732	2132	casino_extensions.exe	87
PID 4732 wrote to memory of 3756	4732	casino_extensions.exe	88
PID 4732 wrote to memory of 3756	4732	casino_extensions.exe	88
PID 4732 wrote to memory of 3756	4732	casino_extensions.exe	88
PID 3756 wrote to memory of 4692	3756	Casino_ext.exe	89
PID 3756 wrote to memory of 4692	3756	Casino_ext.exe	89
PID 3756 wrote to memory of 4692	3756	Casino_ext.exe	89
PID 4692 wrote to memory of 1228	4692	casino_extensions.exe	90
PID 4692 wrote to memory of 1228	4692	casino_extensions.exe	90
PID 4692 wrote to memory of 1228	4692	casino_extensions.exe	90
PID 1228 wrote to memory of 2832	1228	LiveMessageCenter.exe	91
PID 1228 wrote to memory of 2832	1228	LiveMessageCenter.exe	91
PID 1228 wrote to memory of 2832	1228	LiveMessageCenter.exe	91
PID 2832 wrote to memory of 4680	2832	casino_extensions.exe	92
PID 2832 wrote to memory of 4680	2832	casino_extensions.exe	92
PID 2832 wrote to memory of 4680	2832	casino_extensions.exe	92
PID 4680 wrote to memory of 2000	4680	casino_extensions.exe	93
PID 4680 wrote to memory of 2000	4680	casino_extensions.exe	93
PID 4680 wrote to memory of 2000	4680	casino_extensions.exe	93
PID 2000 wrote to memory of 920	2000	Casino_ext.exe	94
PID 2000 wrote to memory of 920	2000	Casino_ext.exe	94
PID 2000 wrote to memory of 920	2000	Casino_ext.exe	94
PID 920 wrote to memory of 1440	920	casino_extensions.exe	95
PID 920 wrote to memory of 1440	920	casino_extensions.exe	95
PID 920 wrote to memory of 1440	920	casino_extensions.exe	95

C:\Users\Admin\AppData\Local\Temp\3aaaa4f6eb0e7f4f2d497f3a2edf1260_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3aaaa4f6eb0e7f4f2d497f3a2edf1260_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
346KB

MD5
8fd395b2fbe7429204ca34beb16c3fa1

SHA1
2f1039d6b700cb864ee2ffd1aff51ef0bd9d118c

SHA256
3ec90083c0bed5593253d2811d0b7ece7f39c2c3ced66f32bb2871278dccb5a2

SHA512
6975bfca2f37d88c8a92b14e6fab5ebf954ff616831401e36a6c955a61cf59f7f41329af3b5c135e4ce747ed480710eb57853bf705169f5e9cd4b31199b1306d

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
340KB

MD5
15624cc36764d9b9b45bf49be8ebdea6

SHA1
965084df88ee3299b4b9bb2f66acad3ed58930ad

SHA256
8e60d9148fc646f56a2c3132e6e5679d2fe9ef09eadb6f12ca03c5b812b4a49f

SHA512
914b9185e54069c87f692b6305e7ffa07176b2093e322eb15d881a4a9a17ffa9d0081ba1e169b1343943252149a97814bb980a75922db99a226dd303d868658c

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
346KB

MD5
6e44bea240aea99554d527abe835db31

SHA1
9aac35a0c788edc700791e64cfede38f8371d6d8

SHA256
e0a62892341195fb4e82d57c83177054b40dd50aabd5902c1e9c0643600636f1

SHA512
90d44e5f486a1edf9c53df4b93edb4c5d6f1ae4ba59529842fa3823761f03a0bd26869eb119c3070cc25e05ec9e4fb0e904b3527426664a6bb5838c7638d3bb6

Download Submit
memory/1792-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2576-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download