d3d2ba13203ddae47486e578be45088a1b3de83d3b6cc896a9bfd46d27ea31b8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
Size

1.9MB
MD5

7cb77c3ba54a62bb7721116a5d580009
SHA1

648f63f673981a5702007f515cfe273e8e4011b6
SHA256

d3d2ba13203ddae47486e578be45088a1b3de83d3b6cc896a9bfd46d27ea31b8
SHA512

2e822653fd6f93e95a349adc59d53181e2dea4b0ba81e22601bea14ee5d297e0334e5fed26c806b9dcebb7f40c6a9c7ef4a72bb252273145bc32967a2681319a
SSDEEP

49152:xa4A7xU81kHR6gWakurxp9Z7WHI1xtTTKXcqA:xas7Wo1bQcqA

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3796	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
3796	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
3796	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
3796	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
3796	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
3796	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 3964	4780	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe	83
PID 4780 wrote to memory of 3964	4780	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe	83
PID 4780 wrote to memory of 3964	4780	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe	83
PID 3964 wrote to memory of 3796	3964	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe	84
PID 3964 wrote to memory of 3796	3964	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe	84
PID 3964 wrote to memory of 3796	3964	7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7cb77c3ba54a62bb7721116a5d580009_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A2ksINMdu3He1LOWLGI\1rnDAlrFQ.dll

Filesize
74KB

MD5
0d27e481f609fdd7377b19fc9ba74ba0

SHA1
083359b5aaa14e6df7ace067465866f7ae2e46ad

SHA256
df6eae4f30540267391714aada549169d28df864185242fd1d078890cc0887e3

SHA512
aa86665a78302f976ab3c8b460b1529b3b8dff4bd517924919ff48d14dddfcb16cf555df377908064a32048347c1da874c7bc0d4b05c998e359646d917dd2fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2ksINMdu3He1LOWLGI\2x4tb2HUrw.dll

Filesize
200KB

MD5
5751dc59620b225f8bb57eaf4124a33c

SHA1
143b5921af9d9e0da32b07d98fcb7b03eee1f2da

SHA256
d7a9665d8f85a8ed31e35fe275889dbc3c2462e635b82e0b7aed0d239d58b897

SHA512
59e28e8c5ae93abae73511e5ce5bc7f837d7776825ca24d5d5815c1f302a52c08659ff37b51bc16bbb7b00764f76370f43b4c61bf015cf00a70ee5ad3b574200

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2ksINMdu3He1LOWLGI\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2ksINMdu3He1LOWLGI\yZvWSsXxcDUukLwXNnrSdEbC90vWFf90iJ.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
memory/3796-24-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3796-10-0x0000000000650000-0x0000000000667000-memory.dmp

Filesize
92KB

Download
memory/3796-25-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/3796-2-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3796-23-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3796-22-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3796-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3796-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/3796-17-0x00000000007C0000-0x00000000007F6000-memory.dmp

Filesize
216KB

Download
memory/3964-1-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4780-0-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download