b57e589ef7ee2da883663527878128aa0c1909d0ba7a9bca91f10f04e91a47fb

Analysis

max time kernel
139s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
Size

1.4MB
MD5

6081277b1c6a1fcb478cd938298bd327
SHA1

2581861ef703055895db434dfcab89746102ff7e
SHA256

b57e589ef7ee2da883663527878128aa0c1909d0ba7a9bca91f10f04e91a47fb
SHA512

7bf6299df2d0f6eed284c8959d582fa0ecaaea66fe403b78eebb5c077de95a262d40683b1129804cf55edf422dc01d199c65855aa273d5974ec8da174c599ba5
SSDEEP

12288:MandmtR21mT1TUylJDvc8aYm59SDV5Sor8gZWkXaXyo+5DCG4OQRQNxHb4KDqapV:MW1uGy+SRQorc5ihDCIAK9/ICH

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	name.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	name.exe
3284	name.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 2928 set thread context of 3284	2928	name.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
2928	name.exe
2928	name.exe
2928	name.exe
2928	name.exe
2928	name.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
Token: SeDebugPrivilege	2928	name.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
760	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 4784	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	92
PID 3060 wrote to memory of 4784	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	92
PID 3060 wrote to memory of 4784	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	92
PID 4784 wrote to memory of 604	4784	cmd.exe	94
PID 4784 wrote to memory of 604	4784	cmd.exe	94
PID 4784 wrote to memory of 604	4784	cmd.exe	94
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 760	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	95
PID 3060 wrote to memory of 2928	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	99
PID 3060 wrote to memory of 2928	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	99
PID 3060 wrote to memory of 2928	3060	6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe	99
PID 2928 wrote to memory of 2016	2928	name.exe	100
PID 2928 wrote to memory of 2016	2928	name.exe	100
PID 2928 wrote to memory of 2016	2928	name.exe	100
PID 2016 wrote to memory of 3532	2016	cmd.exe	102
PID 2016 wrote to memory of 3532	2016	cmd.exe	102
PID 2016 wrote to memory of 3532	2016	cmd.exe	102
PID 2928 wrote to memory of 3284	2928	name.exe	103
PID 2928 wrote to memory of 3284	2928	name.exe	103
PID 2928 wrote to memory of 3284	2928	name.exe	103
PID 2928 wrote to memory of 3284	2928	name.exe	103
PID 2928 wrote to memory of 3284	2928	name.exe	103
PID 2928 wrote to memory of 3284	2928	name.exe	103
PID 2928 wrote to memory of 3284	2928	name.exe	103
PID 2928 wrote to memory of 3284	2928	name.exe	103

C:\Users\Admin\AppData\Local\Temp\6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk " /f
    3⤵
    PID:604
- C:\Users\Admin\AppData\Local\Temp\6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6081277b1c6a1fcb478cd938298bd327_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Users\Admin\AppData\Roaming\FolderN\name.exe
  C:\Users\Admin\AppData\Roaming\FolderN\name.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk " /f
      4⤵
      PID:3532
- - C:\Users\Admin\AppData\Roaming\FolderN\name.exe
    "C:\Users\Admin\AppData\Roaming\FolderN\name.exe"
    3⤵
    - Executes dropped EXE
    PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderN\name.exe

Filesize
1.4MB

MD5
6081277b1c6a1fcb478cd938298bd327

SHA1
2581861ef703055895db434dfcab89746102ff7e

SHA256
b57e589ef7ee2da883663527878128aa0c1909d0ba7a9bca91f10f04e91a47fb

SHA512
7bf6299df2d0f6eed284c8959d582fa0ecaaea66fe403b78eebb5c077de95a262d40683b1129804cf55edf422dc01d199c65855aa273d5974ec8da174c599ba5

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk

Filesize
856B

MD5
52ea2c22657e7311e2aac5be5f48e26c

SHA1
1619143ff0c81a6db18684b6a9eee291820a45ba

SHA256
6d65177e9d5403f6f85c385fcd16937c74cc5b5cb9a2cd160bc18fc93c690549

SHA512
d48613e6ce253b1bca6bc66787f0177970dbb49073c007415ce100c3000c5c28487d4d08bedb42dbc90166f00b1bfa61d23dd469507ec17198e386bd6a003b6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk

Filesize
898B

MD5
422417f3bc73b5cf38edddfe6327826e

SHA1
64513e8e340038f332750627aa0f8e3b74654c7f

SHA256
98eff393198cff813fefdbe4b9bc7dc434a1f44856aa368482d94bb79e073265

SHA512
dd5abe372a64544361771490294f750e675f014f8b06009c8b8720e2d40a914e6425606f74f9cc65c7eff8ce91eb0c4e5b1333224ee95bd71b5fa444a971e955

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/760-31-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/760-6-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/760-7-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/760-8-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/760-9-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/2928-30-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/2928-16-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/2928-17-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/3060-15-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/3060-20-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/3060-18-0x00000000753E2000-0x00000000753E3000-memory.dmp

Filesize
4KB

Download
memory/3060-0-0x00000000753E2000-0x00000000753E3000-memory.dmp

Filesize
4KB

Download
memory/3060-2-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/3060-1-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download