1f16905e43aae7d5fc67f0c2257cf89c801f978da986200d45c10ac7cc7f9ff0

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe
Size

1.4MB
MD5

1492c960c5895ec7ff20da88b2bdedc0
SHA1

3a76a684d22f79c118b0955e2a8a221c4bf44c04
SHA256

1f16905e43aae7d5fc67f0c2257cf89c801f978da986200d45c10ac7cc7f9ff0
SHA512

87e0384eeaa4ab98a8877f6948be809d6d0f7e3477c10c4e1e28ff413e6fc4f99e40201fbad273b86bd96754ea8cd9c47a08b4fd72c337a684510ea33cd893e6
SSDEEP

24576:UFD1M7W5A474Kwidlwov+bL2FNdJC1xEW4A/Ra2LXC0aM97ytbUgAU5I:U9fHdlIv2FcaW4Ew2LX5

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	iexplore.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher 1.2 = "C:\\Users\\Admin\\AppData\\Roaming\\Reader_sl.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1180 set thread context of 1080	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	85

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe
1080	iexplore.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3308	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	82
PID 1180 wrote to memory of 3308	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	82
PID 1180 wrote to memory of 3308	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	82
PID 1180 wrote to memory of 1080	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	85
PID 1180 wrote to memory of 1080	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	85
PID 1180 wrote to memory of 1080	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	85
PID 1180 wrote to memory of 1080	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	85
PID 1180 wrote to memory of 1080	1180	1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1492c960c5895ec7ff20da88b2bdedc0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:3308
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hosts

Filesize
2KB

MD5
eef7343aba76cb52d036486a07e7408c

SHA1
7eaf8565df83d1d17b9be8782d0c3124b8b9ba6d

SHA256
3909976862626f026dc79d077337f09e7f56598d5d7403ff7378021f1021c7a0

SHA512
58238b43700c79d1e09a0b5f95ae80581fe841915af596af472901564424494f5d2605f9bf28e7cb024d345f80d7dcef5ce841da0cc05da59d96fb3c9f4657af

Download Submit
memory/1080-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1180-0-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1180-3-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download