8112636a60f6c618a55624cd8d6cdec6d6c70e834c7356ffaa6cc1742889228d

Analysis

max time kernel
134s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe
Size

1.4MB
MD5

4479b37295b978bc81b1edf547ebddf5
SHA1

d423944a9b7689c43d854b9ca084f6cc56ad2307
SHA256

8112636a60f6c618a55624cd8d6cdec6d6c70e834c7356ffaa6cc1742889228d
SHA512

589d1c28ccfe1cfeaa1eef5c11637232d4127b764189a37d9e1991686e362fa77a58c605581727bd1eb6a63ad82b99104df1f1c479823ffd183bde03043bdfdb
SSDEEP

24576:zub3zUtvDOFwUj+d/4UHLKNwa/SIA/rL4nyauwXtgUz/V+6JihK9P5/LvOYKe17l:zub3zUtvDMj0QUONwcAPQ15VJGkZ17XV

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wg2028915592f.vps	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\wg2028915592f.vps\ = a08954e5abe02f4c4007e63ca52927a7	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2344	notepad.exe
2344	notepad.exe
2344	notepad.exe
2344	notepad.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2244 wrote to memory of 2344	2244	4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe	82
PID 2344 wrote to memory of 2244	2344	notepad.exe	81
PID 2344 wrote to memory of 2244	2344	notepad.exe	81
PID 2344 wrote to memory of 1780	2344	notepad.exe	83
PID 2344 wrote to memory of 1780	2344	notepad.exe	83

C:\Users\Admin\AppData\Local\Temp\4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4479b37295b978bc81b1edf547ebddf5_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\notepad.exe
    "C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\muuEquuwjW\cfgi"
    3⤵
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2244-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2244-9-0x0000000000401000-0x00000000004FA000-memory.dmp

Filesize
996KB

Download
memory/2244-15-0x00000000030F0000-0x00000000031B9000-memory.dmp

Filesize
804KB

Download
memory/2244-20-0x0000000000401000-0x00000000004FA000-memory.dmp

Filesize
996KB

Download
memory/2244-19-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/2344-12-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2344-10-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2344-16-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2344-18-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download