c92352d38a526cf8d4e5a1ea0c118a37dd0c5abab846086f7fc760fbc9e54ed6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 08:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Size

476KB
MD5

62b12477a3468dc789f91d8fd9e2ba8e
SHA1

5f681b5b7d9432215b593c2f7d3131175dec3da5
SHA256

c92352d38a526cf8d4e5a1ea0c118a37dd0c5abab846086f7fc760fbc9e54ed6
SHA512

3a89228bd1f3d6ab6b01788d191101d7e5984696fcead5e9a5a67560a033a93cd28e90de44811951a072a13761c02a82aed2b78370ff6a801a67123e4d86e787
SSDEEP

6144:4ThBhkx6m6yfxIaf0hqRdexsQGb7Lu7tiJ0QBj3jVQ4LATJwPrLxvvqrGiJLSZQ:AnCJu7sZjVQ4LwqPLw

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\555F1D06\\iexplorer.exe"	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pavk.bin	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
Token: SeDebugPrivilege	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4340	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe	88
PID 3952 wrote to memory of 4340	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe	88
PID 3952 wrote to memory of 4340	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe	88
PID 3952 wrote to memory of 1048	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe	91
PID 3952 wrote to memory of 1048	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe	91
PID 3952 wrote to memory of 1048	3952	62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62b12477a3468dc789f91d8fd9e2ba8e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn WindowsUpdate555F1D06
  2⤵
  PID:4340
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc ONLOGON /tn WindowsUpdate555F1D06 /tr "C:\Users\Admin\AppData\Roaming\555F1D06\iexplorer.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB09K3UP\plugin[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Roaming\555F1D06\60D1F555k

Filesize
33B

MD5
106032725afc908f7d5e6aad000e68f2

SHA1
f118e123d0eafde21cff36bece9bad13eeb46ec8

SHA256
5aff0f50c17941e48254aceb70587ff5f877a27e989aec6bf464ae63df87982c

SHA512
53593b629ee8d7d8ee7cf00ac01ec3331209fae1c7ef4c3f03b5bf1f2e80b7cf2deebc4ec965a426353cb41334ca858f17423234b83f62f40116bed389503c58

Download Submit
C:\Users\Admin\AppData\Roaming\555F1D06\iexplorer.exe

Filesize
476KB

MD5
62b12477a3468dc789f91d8fd9e2ba8e

SHA1
5f681b5b7d9432215b593c2f7d3131175dec3da5

SHA256
c92352d38a526cf8d4e5a1ea0c118a37dd0c5abab846086f7fc760fbc9e54ed6

SHA512
3a89228bd1f3d6ab6b01788d191101d7e5984696fcead5e9a5a67560a033a93cd28e90de44811951a072a13761c02a82aed2b78370ff6a801a67123e4d86e787

Download Submit