5c39429ae81b260c3e45d2deea3fd29a3ab3ed494ed9944490b8fae0279d2746

Analysis

max time kernel
140s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
Size

39KB
MD5

0e7a174f960dda3c8f26e6240d874a2c
SHA1

f0b371860a18a7753f6841f67c8f9cc9a866def3
SHA256

5c39429ae81b260c3e45d2deea3fd29a3ab3ed494ed9944490b8fae0279d2746
SHA512

b2a904d95f59f041b016f8ea0ae4d28878fc2310412129c826768592c625cc3043a855b32a35026f3d12770dc380c7d2fd515a449ab68266695517ce6c74d450
SSDEEP

768:9i/mxEnhmldonp1uiYh2fvdW1lacva80fAgdRGgd2GgdOGgdYGgd:9XEh8Snp1uiYANAlacQAqRGq2GqOGqYh

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4776	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
4776	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
4776	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Client = "C:\\Windows\\system32\\wuclient.exe"	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall = "C:\\Windows\\system32\\xpsp2fw.exe"	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ppSeCast.dll	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuclient.exe	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xpsp2fw.exe	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xpsp2fw.exe	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wowext.dll	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sinteive.dll	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntaclu.dll	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cppadersn.dll	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuclient.exe	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eevapipro.dll	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\syseduomba.dll	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{990ee18b-21dc-1664-b863-c8770c6990ee}	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{990ee18b-21dc-1664-b863-c8770c6990ee}\ = 950000000000000010000000fab6f753100000001ea1f0d2510000001e00000010100000000000000000000074746770617861637e00010000001010000000000000000000006268627475647e7c737000ae0000001010000023e3120000000000667e6674696500d100000000100000932915000000000062787f657478677400d000000000100000c36f150000000000616142745270626500d20000000010000033d41500000000007f6570727d6400d500000000100000631a14000000000072616170757463627f00	0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e7a174f960dda3c8f26e6240d874a2c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eevapipro.dll

Filesize
1KB

MD5
b4be0374e3765ed179238fc33392c1d4

SHA1
fae17ee8a9ef768299d33f334d8e6a49ca6d350e

SHA256
cb702709318aa3ecaa574d8ecee7067098f74317dde40e4d057cb50cbeea8442

SHA512
9258731d2c656dc64f2ea4bd8e32662c212e577927f735eef5a718b02546c2cbf1215964b0e4e33cb1b6f218021be11dcb22b7c7c46691e6c24faf019822e53d

Download Submit
C:\Windows\SysWOW64\syseduomba.dll

Filesize
9KB

MD5
8fc399fcf2e532a67ef07db2835e8e24

SHA1
19be753f4e22e389aa390d9740adf3e32662ac43

SHA256
482b0695b074860eebba3ccb7ea93ec175fa126454d44fd44510b012febc4fe3

SHA512
41352fb6082c30b8eede5432bfb597d0b5e541796800c7d866ec8c1c3adf020658bfc8aa590d69be4d0c8f7b964a85b1203132edc1e56513328c38321e34c23b

Download Submit
memory/4776-15-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/4776-20-0x0000000002DE0000-0x0000000002DE4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads