4f98f78f2f75cdc7b17931fc0fe66c6dc1a26bf6af26be8ebecc1edd53e80776

Analysis

max time kernel
120s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe
Size

449KB
MD5

b6bc36bbe134bd1d711e837e59055168
SHA1

e278b40ee33613a16fc9262e61083af9266744c6
SHA256

4f98f78f2f75cdc7b17931fc0fe66c6dc1a26bf6af26be8ebecc1edd53e80776
SHA512

edb792e7c9f40a510519ba544512987ede5bb426cadcf7ec848c2320e997d0b9fe420c46596fab5edaf1deb257cb879ced8f5337d9276c850c94b8612fbf3573
SSDEEP

12288:QPxaRCQBjHkcNqOQ/3AjTr7vHSujL6TctM3TZ:YIRCQBAcN0/3YrziTx3TZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4704	TablacusInstallerStuff.exe
1420	TablacusApp.exe

Loads dropped DLL 1 IoCs

pid	Process
4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TablacusApp2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\TablacusApp\\TablacusApp.exe\""	TablacusApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe
4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe
4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe
4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4704	4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe	81
PID 4856 wrote to memory of 4704	4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe	81
PID 4856 wrote to memory of 4704	4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe	81
PID 4856 wrote to memory of 1420	4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe	85
PID 4856 wrote to memory of 1420	4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe	85
PID 4856 wrote to memory of 1420	4856	b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\TablacusInstallerStuff.exe
  "C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\TablacusInstallerStuff.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\b6bc36bbe134bd1d711e837e59055168_JaffaCakes118.exe" "HKCU" "Software\TablacusApp" "badumt"
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Users\Admin\AppData\Roaming\TablacusApp\TablacusApp.exe
  C:\Users\Admin\AppData\Roaming\TablacusApp\TablacusApp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\TablacusInstallerStuff.exe

Filesize
104KB

MD5
4925a841acf7961288c84a50a6e752f2

SHA1
055572c0d82e173148ac8f51dc60e18efb5a3055

SHA256
d4513b2618222e18bb69c792c101af09a8c1ee2752d3930a5297eef8283f3c3b

SHA512
c499f65a37b276d737b88b27ff5ac45e8d7cdce05db62714c3ce2620494278739e661ad35b73a74bde32f5c14f0cc2249de574ddd3a2fb2eef6173c09f33bfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl48C2.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\TablacusApp\TablacusApp.exe

Filesize
110KB

MD5
b994dae39c1c49f57213cde3df701c82

SHA1
29f9e45eb523440c3e23c9dbd65ff7e8348d4f0a

SHA256
dc090737ba9bede6d83ef63c292b1250b0b747ff19dc240ae68390d97d13536e

SHA512
61f8a7ee6c73cb0c7ab165d606421d2c7b568debbb36c83cdfbaef7c1addc07ef1354716b5bef690879452143170fe142fd02b9ac1937be8c0f3268340116f7e

Download Submit