bc41f0e4a7a4b43588687c1b984c38508f3d016dc8e50eba11eeab93074684ea

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
Size

50KB
MD5

05223c65fc4494ab73cdb5897b85c477
SHA1

87496f4d9d87e1e7e52604de5160ade8028cbedf
SHA256

bc41f0e4a7a4b43588687c1b984c38508f3d016dc8e50eba11eeab93074684ea
SHA512

f0cc9ce156d8b1abe3259ee28db074c3970fc831dbd5a8ec80f76b32226bd83ccf6af1a922fc1c8ff39734cb8e552d0673d7fa3ba6054507ff99b3ab7f722151
SSDEEP

768:4VRKzy/Y42LSsbj5M35wh6EDn8pt1+BC3ffng+YctRHmuB1CP1cRWhmYzLgy/U:SRIypbGM3igEWt2ag+/dFCCWhFjM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
732	Svchosts.exe

Loads dropped DLL 2 IoCs

pid	Process
732	Svchosts.exe
732	Svchosts.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchosts.exe = "C:\\Windows\\Svchosts.exe"	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Svchosts.exe	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
File created	C:\Windows\WinSoft3.DLL	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
File created	C:\Windows\Svchosts.exe	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
732	Svchosts.exe
732	Svchosts.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
732	Svchosts.exe
732	Svchosts.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 732	3504	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	84
PID 3504 wrote to memory of 732	3504	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	84
PID 3504 wrote to memory of 732	3504	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	84
PID 3504 wrote to memory of 2972	3504	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	85
PID 3504 wrote to memory of 2972	3504	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	85
PID 3504 wrote to memory of 2972	3504	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\Svchosts.exe
  C:\Windows\Svchosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Deleteme.bat
  2⤵
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

Filesize
212B

MD5
1c9bf3151ca898f4da83c9ce71e63ec3

SHA1
e3fb448179f20f5ce211b6380405981fd5c775d1

SHA256
da88d35743424746ccff818aa03ad353ea29a36b6dc59d58908b158537f417f0

SHA512
669bcd6496fdb9bf0a9786324157cb4c4faad9a9d3f196945ffada3a10437c1df95dc55dbfa3313acc55ec7ea6b75f103e9c4c884b5c51ccd215d190998ec970

Download Submit
C:\Windows\Svchosts.exe

Filesize
50KB

MD5
05223c65fc4494ab73cdb5897b85c477

SHA1
87496f4d9d87e1e7e52604de5160ade8028cbedf

SHA256
bc41f0e4a7a4b43588687c1b984c38508f3d016dc8e50eba11eeab93074684ea

SHA512
f0cc9ce156d8b1abe3259ee28db074c3970fc831dbd5a8ec80f76b32226bd83ccf6af1a922fc1c8ff39734cb8e552d0673d7fa3ba6054507ff99b3ab7f722151

Download Submit
C:\Windows\WinSoft3.DLL

Filesize
49KB

MD5
e3e15c1c3aab1b0a44f1d6cdff200cd2

SHA1
66645f30ffcabf79de9728ce58835954b42d3149

SHA256
281e14f009ff1e3b40b163bd449186ae1f4a04ac8f340347e17cb3b933982a00

SHA512
24e994d3722a3db534278753eb7d0db6b6c17503802a909b12bfe5d6f9399d38990686849136cf9dbcf83b966ea7a825071a5c02ee2b88404dbcec92673943f8

Download Submit
memory/732-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/732-13-0x00000000006A0000-0x00000000006B1000-memory.dmp

Filesize
68KB

Download
memory/732-18-0x00000000006A0000-0x00000000006B1000-memory.dmp

Filesize
68KB

Download
memory/732-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-21-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3504-4-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3504-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download