8513aedd7c5c5cfae622f6b397a384af0eedd6eee0113d7f6785d82d48d037e8

Analysis

max time kernel
141s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
Size

99KB
MD5

0d2dd61248b33910415d268bdc163481
SHA1

ec2d262d67fa3e4a86e76d696e700c3df3378528
SHA256

8513aedd7c5c5cfae622f6b397a384af0eedd6eee0113d7f6785d82d48d037e8
SHA512

ede41598e0332df73c29b67f86d9d202f1428dafa5ceb2b2a422d9cb94bc6b2480f880b5e9fa03fc48aabbf9e61906b059c173bfada86bb59cbc37fad2a63e08
SSDEEP

1536:FLGS5u0MDH+2ENm150Aa/B5WUbeVt8Yqt/6jch62MsGW2qkHKJcT5alOtdxtL2eG:dG2u0L/N3/cVt8NYbsPmvT5alqxtLI

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Userinit = "rundll32.exe C:\\Windows\\system32\\winsys16_070924.dll start"	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
8	AlxRes070924.exe

Loads dropped DLL 1 IoCs

pid	Process
980	rundll32.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\scrsys16_070924.dll	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\scrsys16_070924.dll	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winsys16_070924.dll	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inf\scrsys070924.scr	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winsys32_070924.dll	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winsys16_070924.dll	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winsys32_070924.dll	AlxRes070924.exe
File created	C:\Windows\SysWOW64\winsys32_070924.dll	AlxRes070924.exe
File created	C:\Windows\SysWOW64\inf\scrsys070924.scr	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winsys32_070924.dll	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mwinsys.ini	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File created	C:\Windows\system\AlxRes070924.exe	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File opened for modification	C:\Windows\system\AlxRes070924.exe	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
File opened for modification	C:\Windows\mwinsys.ini	AlxRes070924.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	AlxRes070924.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe
8	AlxRes070924.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
980	rundll32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
Token: SeDebugPrivilege	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
Token: SeDebugPrivilege	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
Token: SeDebugPrivilege	8	AlxRes070924.exe
Token: SeDebugPrivilege	8	AlxRes070924.exe
Token: SeDebugPrivilege	8	AlxRes070924.exe
Token: SeDebugPrivilege	8	AlxRes070924.exe
Token: SeDebugPrivilege	8	AlxRes070924.exe
Token: SeDebugPrivilege	8	AlxRes070924.exe
Token: SeDebugPrivilege	8	AlxRes070924.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 980	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe	81
PID 940 wrote to memory of 980	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe	81
PID 940 wrote to memory of 980	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe	81
PID 980 wrote to memory of 4660	980	rundll32.exe	84
PID 980 wrote to memory of 4660	980	rundll32.exe	84
PID 980 wrote to memory of 4660	980	rundll32.exe	84
PID 4660 wrote to memory of 8	4660	cmd.exe	86
PID 4660 wrote to memory of 8	4660	cmd.exe	86
PID 4660 wrote to memory of 8	4660	cmd.exe	86
PID 940 wrote to memory of 3664	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe	87
PID 940 wrote to memory of 3664	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe	87
PID 940 wrote to memory of 3664	940	0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe	87
PID 8 wrote to memory of 1232	8	AlxRes070924.exe	94
PID 8 wrote to memory of 1232	8	AlxRes070924.exe	94
PID 8 wrote to memory of 1232	8	AlxRes070924.exe	94

C:\Users\Admin\AppData\Local\Temp\0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d2dd61248b33910415d268bdc163481_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\winsys16_070924.dll start
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\mycj.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\system\AlxRes070924.exe
      "C:\Windows\system\AlxRes070924.exe" i
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        
        PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\myDelm.bat
  2⤵
  PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winsys16_070924.dll

Filesize
24KB

MD5
66ba55e650caf31ba7c71d1ae26f13d4

SHA1
9de31680b59cb22c24c630300512fd4142b120e1

SHA256
00b6501d0468b5865eda63a13743811d726610e0945782d4e097c7e23366a7b8

SHA512
6564aff977de0412d90ff79f1d74636c2be68b42d541671d20e1b5da8c7fafa3e88fbc8478c6528505abdf15d9f1284c3064aad6f7ed98f428d4f76610608ccc

Download Submit
C:\Windows\SysWOW64\winsys32_070924.dll

Filesize
194KB

MD5
a0493004176f052786e1468c408d8ff8

SHA1
84d46167d8a4af798bb73a5c4cfecb71b045211a

SHA256
1033d3188f40d55d3aa767125e9bc3ef1db8fe34f9851df326398e267a30795d

SHA512
99e23c0bf113ca759fe80f71bf2961ca3e876273ddcab71b4392cdd6153b6299bc4cfeabbc1d885d245a7ec64e11092687451d089ff178c73f54e238011100eb

Download Submit
C:\Windows\System\AlxRes070924.exe

Filesize
99KB

MD5
0d2dd61248b33910415d268bdc163481

SHA1
ec2d262d67fa3e4a86e76d696e700c3df3378528

SHA256
8513aedd7c5c5cfae622f6b397a384af0eedd6eee0113d7f6785d82d48d037e8

SHA512
ede41598e0332df73c29b67f86d9d202f1428dafa5ceb2b2a422d9cb94bc6b2480f880b5e9fa03fc48aabbf9e61906b059c173bfada86bb59cbc37fad2a63e08

Download Submit
C:\Windows\mwinsys.ini

Filesize
343B

MD5
eea344cdce5aa34a696ddb76badf8750

SHA1
a55c9cee3372769c1eb4fa5821c3fbc86669f0a4

SHA256
6b6ac501269b8e3a0980a9c798525d804de17587cf3b39fd7d0900135d6c6825

SHA512
63f2eb280dd5f6f2715f3eed0388610fb4053bd2ed3345e774c178e1abc3b119cd35f5db81c8e740241f8961682a247e82b602d494e8816d3cdec6cf3a4a1c89

Download Submit
C:\Windows\mwinsys.ini

Filesize
31B

MD5
981049e8d9bf6fd1a3a5ed7a95cdd488

SHA1
a970a6430eaecb7b40414e10fc57e07f092819c3

SHA256
2e50e7fb6b7c6b2ae0db24b74f76e5af7a8ef9c6a283ee60d7b30051ba3e1381

SHA512
5d31890bfbccd22b5035bbdf24dd7759ea6b59aebd60e4dc84c7dd28e599c226598d3c6027ae512d56b909506fb4256b6fa34867a510636bf84d6077711af601

Download Submit
C:\Windows\mwinsys.ini

Filesize
369B

MD5
8e3e1f47a9931d716136473aca2ffa4b

SHA1
f898ad44d7f847b4f88f101f71c06504b7da7f50

SHA256
8b8787ed94c0fc16f3874f0c82f72c63f6e134a9bef1893f0e3e66c467c2172a

SHA512
36bfb945442405f43489ab3a68eb4a5c2010efd1bfcef24222bbd9919d0f25d28864e810199ad9acbaf2f510fb4171aea4fc26059c4069c2531d8aa126fb58fe

Download Submit
C:\Windows\mwinsys.ini

Filesize
402B

MD5
0535eab8cf30e14fde56f5e8fe87919e

SHA1
d535e4004ac1546ad018b99bb27444bba9556495

SHA256
c6ac55a033a9febbf4ba6798d50a8b2bcd6eb270a7d3019cc2aa80834893d67f

SHA512
e7307b6b6846b47b14f08c12e958ebd7504b96c9617c475b63eb6df4e00dcbe5f0712426ef4044fb38bb49a9d1fa679d546d9dcb1c0c96a045ab9395d9946c05

Download Submit
\??\c:\myDelm.bat

Filesize
212B

MD5
908c87ab07c08186ab1d78c9fd8f7933

SHA1
7f4860ec62e20f61d15c78126120c13fddcc6630

SHA256
e88d1dfae70b4608cac873c7bd4d9e69d53895cfb5efaba1f9152404106425e2

SHA512
7d27d2e291d6611ca05d1cb0725018edbd142e948c2a7c0fed71b4093bc52dcbeff8b18ab3fdad87e66dc4551a535346dc1ac6ee2e15abe4eae3ad88a8436966

Download Submit
\??\c:\mycj.bat

Filesize
48B

MD5
726cd00f0793ca5478b10d84891aba41

SHA1
c2e6b1b6ca6905310586c0d97c52db40bc8fd072

SHA256
d40bd844d48650d487268612e29b85ef556b1b87e23446d833bcebc3a07f14ee

SHA512
3f4ef0089bc0fb0b8430a4d82b9033b6f154242ccb881268d8e84ebd56ba7b46989fd5d937d0f3f1fdf5731a0930e426d6b50fa9a515eb2cbe8c4dab264c211f

Download Submit
memory/980-40-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/980-52-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/980-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download