4e96d101c6360734cf95faac4b2ca1d0b2cca54eb37c25efa33cef9ee36cabb0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0210a26cc4a60d10ee38631f612714f2_JaffaCakes118.exe
Size

1.3MB
MD5

0210a26cc4a60d10ee38631f612714f2
SHA1

3e98fb6cfdc8d6b115c811f68163dd99ca0ac08c
SHA256

4e96d101c6360734cf95faac4b2ca1d0b2cca54eb37c25efa33cef9ee36cabb0
SHA512

a17f77bb7f4079dae36ee61627164e9e123b2614cdaea924089f1fc9f308e5233694ae1e9bca99f2c4b32b0ce6eedd0a65b49897713cf46edbbdd72e18417e5c
SSDEEP

24576:tg7SunoVFD52Rpvqvix6M+Bh+1cG9VzPKtzeDxsr092ChV6GpQukt6y2TlUE90l/:a7SunoVFDsHCzMgUhV2xeDxz2G5e24/b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4740	GSf5zY.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4736	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4736	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4736	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4736	MSIEXEC.EXE
4736	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4740	3888	0210a26cc4a60d10ee38631f612714f2_JaffaCakes118.exe	83
PID 3888 wrote to memory of 4740	3888	0210a26cc4a60d10ee38631f612714f2_JaffaCakes118.exe	83
PID 3888 wrote to memory of 4740	3888	0210a26cc4a60d10ee38631f612714f2_JaffaCakes118.exe	83
PID 4740 wrote to memory of 4736	4740	GSf5zY.exe	94
PID 4740 wrote to memory of 4736	4740	GSf5zY.exe	94
PID 4740 wrote to memory of 4736	4740	GSf5zY.exe	94

C:\Users\Admin\AppData\Local\Temp\0210a26cc4a60d10ee38631f612714f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0210a26cc4a60d10ee38631f612714f2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\GSf5zY.exe
  "C:\Users\Admin\AppData\Local\Temp\GSf5zY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/GoldClubSlotOnlineThai/Gold Club Slot Online Thai20120103052202.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="GSf5zY.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GSf5zY.exe

Filesize
1.1MB

MD5
5b080d3ff1aaa4b3422b036040632a9f

SHA1
25f79511d9417f6e0854aaec4eed849e1440d77b

SHA256
5a7ffb3d5f7c66502d813a6f7f879357b0fe9aaa94317dbcc59f922fb37f1e28

SHA512
190e6fef07c3c4edb02387da279a3896c7c79ebca9c1ef36dc1737bc5c873923e41ae1eece7c3723e536c9b533acb098edcb8fcc30a3ab20e6bd5a0443dc7a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is4C7F.tmp

Filesize
1KB

MD5
62af294789dfddba6b4525966f5e80f3

SHA1
9a113c506c7cf438d00f95162d99c5728eac18e1

SHA256
fb89b3b9e3b67469038ab9f53468cd2e8dae808a51f6e3226afd1bf5e8630869

SHA512
274e47874cc0f1892b34b9f3d0f397896a3f059d847def2a526d20a431c42d26f5bd74fe430dbbbbfe904c38cc8cb7b56c03059ab1304719fbbf45304cc23b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ADE61F7A-660F-4CB2-AE6F-E6989054B311}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ADE61F7A-660F-4CB2-AE6F-E6989054B311}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4C7C.tmp

Filesize
5KB

MD5
b3fea95453fd8a5a3432c7934d3c24fe

SHA1
ad7fe0b8e90b3ebfe024e5a0f9ddb63f39e35995

SHA256
fe58efaa094b0b03acd19b9907d312a8a623cd9fbaca7e6046058d0f9550e274

SHA512
543fd726cf2ed29d64a4e3c56959af8656fa080a957a5e8779599d261f5b631382594bce2f9b5a41d84acdd406dc98805ae429f6b8f3d3700940ccf65d40c134

Download Submit