d949a099004e5f813a9d24cd5f9a698299333cae94c3a589766a92a0129775f2

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08849195a952927042d833cf0c79570f_JaffaCakes118.exe
Size

1.1MB
MD5

08849195a952927042d833cf0c79570f
SHA1

79b0e5065536254eef0d7b8d51fcbebe58820ff6
SHA256

d949a099004e5f813a9d24cd5f9a698299333cae94c3a589766a92a0129775f2
SHA512

7fd6dcaa86ac72e145397ca344114fe28cb214c5dd0c50af78543c6d7c1f652a02d6f3137e7c1b55fffb1f23d4427667d17b603b5c396e0aeb8478620f460516
SSDEEP

24576:cf7pTED/QDt/SPUEwCmJrIyjfqml71aUqqYbbaP3y30rsqel:0V4mYPutIy5V1aDtbbuNel

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1100	~

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
3628	MSIEXEC.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3920 set thread context of 1100	3920	08849195a952927042d833cf0c79570f_JaffaCakes118.exe	80

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3628	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3628	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3628	MSIEXEC.EXE
3628	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1100	3920	08849195a952927042d833cf0c79570f_JaffaCakes118.exe	80
PID 3920 wrote to memory of 1100	3920	08849195a952927042d833cf0c79570f_JaffaCakes118.exe	80
PID 3920 wrote to memory of 1100	3920	08849195a952927042d833cf0c79570f_JaffaCakes118.exe	80
PID 3920 wrote to memory of 1100	3920	08849195a952927042d833cf0c79570f_JaffaCakes118.exe	80
PID 3920 wrote to memory of 1100	3920	08849195a952927042d833cf0c79570f_JaffaCakes118.exe	80
PID 1100 wrote to memory of 3628	1100	~	81
PID 1100 wrote to memory of 3628	1100	~	81
PID 1100 wrote to memory of 3628	1100	~	81

C:\Users\Admin\AppData\Local\Temp\08849195a952927042d833cf0c79570f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08849195a952927042d833cf0c79570f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\~
  C:\Users\Admin\AppData\Local\Temp\~
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/winpalace/WinPalace20101209065652.msi" DDC_DID=877572 DDC_RTGURL=http://69.59.134.122/dl/TrackSetup/TrackSetup.aspx?DID=877572%26filename=WinPalace%2Eexe SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{551B50D5-3B44-4B4A-8454-139D4C31DA10}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{551B50D5-3B44-4B4A-8454-139D4C31DA10}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~

Filesize
904KB

MD5
06fbc3aa35f7f064084ba0ed8a3b4111

SHA1
a5a98424b435b129fc67393bd51e1a5209695a68

SHA256
f631fffb25a243ed916253e9a0ce85a79dac3c6a3a91713057046a624ceda8ac

SHA512
24b3d2476a77158c4ab906eea7ad13e74d30cb831b92e293d35ca6b929940eb2166e4a314464b64f81988d0e56fa8d4b2247afd15d17cd9c8c7144df62467d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4652.tmp

Filesize
5KB

MD5
261b7e5ecb0d17f75745b8302028ee0e

SHA1
73607be8095ac6084a81c8e22c5a86b70e7b8d2a

SHA256
549745fe4591fe345682f9a7fed539b4ad329cdd82ab9e9a61a8ffd5e4bcb2e8

SHA512
e65274f8c306ce306aa112c9dd5ffdc5073069514a3d2ef225a12126f7fcd652e641a55319270d88acb08fb50f893ec6b83022483c049cf2570883163be9f106

Download Submit
memory/1100-32-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1100-45-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1100-51-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download