4af3004a8a95ee935d7dadbb800db7c66a6639b7a259c680691b30039bf10331

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

036361207082011c352e892beaf972f4_JaffaCakes118.exe
Size

17KB
MD5

036361207082011c352e892beaf972f4
SHA1

97f739ecb07d12f18e6d6a4b925112d819f428e0
SHA256

4af3004a8a95ee935d7dadbb800db7c66a6639b7a259c680691b30039bf10331
SHA512

0cecc01cf1c1d651dad240b0391703e2531b45c22f8f91469187b7938434dac61f2b306bd8f4c78031a58a50085225c36bb50fa86eae8d2ac5ca5453aa55475d
SSDEEP

384:RSwUacjDzyWx2NuoGYWRyGIeoqpf8o5FsTi9FmeuR:rV6WCoG1RyGIet8ovsTEqR

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	ishost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ishost.exe = "ishost.exe"	ishost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	036361207082011c352e892beaf972f4_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
968	ishost.exe
3596	ismon.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ishost.exe	036361207082011c352e892beaf972f4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ishost.exe	036361207082011c352e892beaf972f4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ismon.exe	ishost.exe
File created	C:\Windows\SysWOW64\components\flx0.dll	ishost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe
3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe
3596	ismon.exe
3596	ismon.exe
968	ishost.exe
968	ishost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 968	3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe	82
PID 3116 wrote to memory of 968	3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe	82
PID 3116 wrote to memory of 968	3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe	82
PID 968 wrote to memory of 3596	968	ishost.exe	83
PID 968 wrote to memory of 3596	968	ishost.exe	83
PID 968 wrote to memory of 3596	968	ishost.exe	83
PID 3116 wrote to memory of 3892	3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe	84
PID 3116 wrote to memory of 3892	3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe	84
PID 3116 wrote to memory of 3892	3116	036361207082011c352e892beaf972f4_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\036361207082011c352e892beaf972f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\036361207082011c352e892beaf972f4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\ishost.exe
  C:\Windows\system32\ishost.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\ismon.exe
    C:\Windows\system32\ismon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\036361~1.EXE > nul
  2⤵
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ishost.exe

Filesize
35KB

MD5
509694fa59a2ab725a5a56cd6d10695c

SHA1
e7a62fbd16d80ada9474d27b20643cdaec0325fa

SHA256
02dc5186552b1a8e6d4499216b8b0ea5488178eea3412b4be012bbb80bbcf078

SHA512
0c0d6efc619179e94a668e8ec1051bceab059c563bbee2e4a7b4e03fadb093b958842805f723a35fd5566b0d59bc57ac61ea531ab3f8f36e27497bb1342a50e1

Download Submit
C:\Windows\SysWOW64\ismon.exe

Filesize
5KB

MD5
90643638b84ec0538e8e3baf3b43173a

SHA1
c1ac2c07715b07434d1aefdbd4e92e0c8e6c259f

SHA256
ea5d8dced2204818c8dc1514e68bc24d9d33cd5f40ed410a6a97d8a6d366fab5

SHA512
2026d0607947f896a0d8a16429e5a40d1b77ba3d8e3f75e14178be6717e1d2db26052f6cad3b159786b38d6b0e03bded79fafd94e44a22e0e8e3bf1b39d8f54d

Download Submit