a0d96b8cb45e309dc4b6b2f8835e280ba0c3827de6407bd0de77bc4379e365aa

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 17:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

642b61945c42587f18d68cf52ba21e9e_JaffaCakes118.exe
Size

660KB
MD5

642b61945c42587f18d68cf52ba21e9e
SHA1

977c4d5af237ad6b8a4ff083356a60540e7a860c
SHA256

a0d96b8cb45e309dc4b6b2f8835e280ba0c3827de6407bd0de77bc4379e365aa
SHA512

e99308054d31ab17a66a903f9113a08c103403fd14b6f98ee617b0fb48f61f2174b9a12a7ae17db5e8fc69e74813785448dcc2817c1e5bbf8d0947b6a6022eb7
SSDEEP

6144:rw3Wp0yN90QE7soPUPSISrndZ68t9bUEghyVlnEzADTDZvyLrXn8XKaZ:rw3y90+oPUKI0kCbUEgklnEUXhzXKc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2932	PP_OUT~2.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	642b61945c42587f18d68cf52ba21e9e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2932	PP_OUT~2.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 2932	4704	642b61945c42587f18d68cf52ba21e9e_JaffaCakes118.exe	83
PID 4704 wrote to memory of 2932	4704	642b61945c42587f18d68cf52ba21e9e_JaffaCakes118.exe	83
PID 4704 wrote to memory of 2932	4704	642b61945c42587f18d68cf52ba21e9e_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\642b61945c42587f18d68cf52ba21e9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\642b61945c42587f18d68cf52ba21e9e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~2.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2932-7-0x00000000005E0000-0x00000000005E7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads