c5d007bbfef00088c3e0a9e37a02fedd5effc089c49e74f33e756ad22428df6f

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
Size

19KB
MD5

0424bc63ed53a6e0ff5fa0f3d4292f27
SHA1

2353e1d8aa67bb4e542db632dada7c037973f2f0
SHA256

c5d007bbfef00088c3e0a9e37a02fedd5effc089c49e74f33e756ad22428df6f
SHA512

c3340411f1908bed6475a422f37813ff3fa84e34a7f489e3da975a1de5fe9fbafa4a5b6bf77637fb94b465a359774be06303eb8cc5c357787337664035dbd27e
SSDEEP

384:mSW/WMkGOu2urxMXxexWQxreVeimEb9w+obFWkHqyZwxQCQlhZqvOruy15a:BlmCxeYQJeVei5o9KSw6CYJrNo

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\A138491F\ImagePath = "C:\\Windows\\system32\\2237A95C.EXE -k"	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3532	2237A95C.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\2237A95C.EXE	2237A95C.EXE
File created	C:\Windows\SysWOW64\80B69B6E.DLL	2237A95C.EXE
File created	C:\Windows\SysWOW64\delme.bat	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\2237A95C.EXE	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\2237A95C.EXE	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4988	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
4988	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
3532	2237A95C.EXE
3532	2237A95C.EXE
3532	2237A95C.EXE
3532	2237A95C.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3108	4988	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe	85
PID 4988 wrote to memory of 3108	4988	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe	85
PID 4988 wrote to memory of 3108	4988	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat
  2⤵
  PID:3108

C:\Windows\SysWOW64\2237A95C.EXE
C:\Windows\SysWOW64\2237A95C.EXE -k
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\2237A95C.EXE

Filesize
19KB

MD5
0424bc63ed53a6e0ff5fa0f3d4292f27

SHA1
2353e1d8aa67bb4e542db632dada7c037973f2f0

SHA256
c5d007bbfef00088c3e0a9e37a02fedd5effc089c49e74f33e756ad22428df6f

SHA512
c3340411f1908bed6475a422f37813ff3fa84e34a7f489e3da975a1de5fe9fbafa4a5b6bf77637fb94b465a359774be06303eb8cc5c357787337664035dbd27e

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
d92befcac129a5e9dd5ac5ccda8161ab

SHA1
dee7e417e10528942eaf8df0acae653eaedde02a

SHA256
a2ffe925e64ed1a016f47a17eefcdef49b68389e5e5aaadbefe251e32f002131

SHA512
642461aa5e810486e436827e1850ec1328e5522c5fbd1eb101cd7e9c7d8ac4b4581ab106dd34a552cd1f3bb7f76310d774bbe7f0d04dc6ed81e19e65eab807ec

Download Submit
memory/3532-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3532-6-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/3532-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4988-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4988-1-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4988-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download