c70a0750ace9c556107d9fed66c6ee4d13ddac4ccc0e2a88f9237375c4a04fef

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 08:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
Size

562KB
MD5

0449950b12b326e6cdb0339990cabd8f
SHA1

e759281a0c700fe19df5d7d357d3c4df1ad73d4f
SHA256

c70a0750ace9c556107d9fed66c6ee4d13ddac4ccc0e2a88f9237375c4a04fef
SHA512

924a105e6fccd12435d8d272c8b53ed9969dba0965d569182064530c201de0cb1a836942d86818d56c0561af64b82c2dd06896e8fcfb72911ae4a6107538e634
SSDEEP

12288:0WkvXy4flTgvuETPS2UA4jaYTWvuI1u6XQ25pwG:avX9lTbETPS2+aYTVI1u6Xz7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3836	aline.scr
2692	aline.scr

Loads dropped DLL 1 IoCs

pid	Process
1340	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aline.scr	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aline.scr	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tmp.bat	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\aline.dat	aline.scr

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
3836	aline.scr
3836	aline.scr
3836	aline.scr
3836	aline.scr
3836	aline.scr
3836	aline.scr
2692	aline.scr
2692	aline.scr
2692	aline.scr
2692	aline.scr
2692	aline.scr
2692	aline.scr
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	aline.scr
Token: SeDebugPrivilege	1340	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1340	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3836	1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe	81
PID 1316 wrote to memory of 3836	1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe	81
PID 1316 wrote to memory of 3836	1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe	81
PID 1316 wrote to memory of 4468	1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe	82
PID 1316 wrote to memory of 4468	1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe	82
PID 1316 wrote to memory of 4468	1316	0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe	82
PID 2692 wrote to memory of 1340	2692	aline.scr	85
PID 2692 wrote to memory of 1340	2692	aline.scr	85
PID 2692 wrote to memory of 1340	2692	aline.scr	85
PID 2692 wrote to memory of 1340	2692	aline.scr	85

C:\Users\Admin\AppData\Local\Temp\0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0449950b12b326e6cdb0339990cabd8f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\aline.scr
  C:\Windows\System32\aline.scr 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\tmp.bat
  2⤵
  PID:4468

C:\Windows\SysWOW64\aline.scr
C:\Windows\SysWOW64\aline.scr -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aline.dat

Filesize
368KB

MD5
36ba9785507a5ba7cc29724f56d98721

SHA1
8aaac5a87a05c7ce16d9245ec2b2ebbb1a9af78a

SHA256
07a81af14f387ee9c9f9fbc694d457f68535c543e6e52fbbfbfce3d38954e8a5

SHA512
235d2bea9cd3fadc9456f6356a158e851ef20570ae9353b2d0b859befe1f002239ce0deef45d82869ea375383eb2dab3fec22b8e2ce23907ccd43e2ce9cbe17d

Download Submit
C:\Windows\SysWOW64\aline.scr

Filesize
562KB

MD5
0449950b12b326e6cdb0339990cabd8f

SHA1
e759281a0c700fe19df5d7d357d3c4df1ad73d4f

SHA256
c70a0750ace9c556107d9fed66c6ee4d13ddac4ccc0e2a88f9237375c4a04fef

SHA512
924a105e6fccd12435d8d272c8b53ed9969dba0965d569182064530c201de0cb1a836942d86818d56c0561af64b82c2dd06896e8fcfb72911ae4a6107538e634

Download Submit
C:\Windows\SysWOW64\tmp.bat

Filesize
267B

MD5
ef66a416e1356ce5e51676537e8bafcf

SHA1
deeff267033cf7e6960e77408d9d19e87a00858a

SHA256
ace1fadd9f534a751e2f283e53ea97a5de493f28f66a7ab2b47347d75fe17e12

SHA512
23ec76ae2dd3f3c99d604a6af0dc9506039c605df983edea05bbec5ec8d8a8d435dce79e2bd809c4eb941c288f4c772b04b0e3a44a374eef0ccab6a0783d11ff

Download Submit
memory/1340-11-0x0000000002F40000-0x000000000321F000-memory.dmp

Filesize
2.9MB

Download
memory/1340-17-0x0000000010000000-0x00000000102DF000-memory.dmp

Filesize
2.9MB

Download
memory/1340-14-0x0000000075DC0000-0x0000000075DC1000-memory.dmp

Filesize
4KB

Download
memory/1340-20-0x0000000010000000-0x00000000102DF000-memory.dmp

Filesize
2.9MB

Download
memory/1340-19-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download
memory/1340-22-0x0000000010000000-0x00000000102DF000-memory.dmp

Filesize
2.9MB

Download
memory/1340-23-0x0000000010000000-0x00000000102DF000-memory.dmp

Filesize
2.9MB

Download
memory/1340-24-0x0000000075DA0000-0x0000000075E90000-memory.dmp

Filesize
960KB

Download