495ae62a0acba8cd23585cf6bbb8e35ca2944c9028816ec66ffe7248f63455e6

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
Size

240KB
MD5

14e9af2b3b387642887c9e545ac248d2
SHA1

0d25004347da456697ef8c4ddbf8e8ecdc606972
SHA256

495ae62a0acba8cd23585cf6bbb8e35ca2944c9028816ec66ffe7248f63455e6
SHA512

590c3b34ff4e7536e673700f4e0b2fdde96a97b0c6f36e0a6387bb24806f16def37625bf62213fd348a14237984193b6b65ba9b9eb0194f0e39df8d65e1be32b
SSDEEP

6144:m8g/7ixgAHtuypsUb+MlLwIPXD5OkkQ4tMZqdQsyBd+ptEs:mzeWildh1wIPXD5OkkQ4uqdQD6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4164	server.exe
4852	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4164	server.exe
4164	server.exe
4164	server.exe
4164	server.exe
4852	server.exe
4852	server.exe
4852	server.exe
4852	server.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 4164	1204	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	81
PID 1204 wrote to memory of 4164	1204	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	81
PID 1204 wrote to memory of 4164	1204	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	81
PID 4164 wrote to memory of 3532	4164	server.exe	56
PID 4164 wrote to memory of 3532	4164	server.exe	56
PID 4164 wrote to memory of 3532	4164	server.exe	56
PID 4164 wrote to memory of 3532	4164	server.exe	56
PID 1204 wrote to memory of 4852	1204	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	82
PID 1204 wrote to memory of 4852	1204	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	82
PID 1204 wrote to memory of 4852	1204	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	82
PID 4852 wrote to memory of 3532	4852	server.exe	56
PID 4852 wrote to memory of 3532	4852	server.exe	56
PID 4852 wrote to memory of 3532	4852	server.exe	56
PID 4852 wrote to memory of 3532	4852	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4164
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
34KB

MD5
fa5391fcdd6bf8a40a0b9183d00b8c22

SHA1
b489da2cf80ee8c3f7f93fba3432c10e463b4567

SHA256
b629d536476f47e272a9ab722e2925c706747ae57f946e0c9bd6b7336568761f

SHA512
3b58d52cec2b6f163bdb11dab7162ccb0fe663d2d748848aa36ac0ecfaa2fe8ce731b7446760e33a3afe63b53b9785988754381c19d36e01427cbcf707a721f0

Download Submit
memory/1204-19-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1204-1-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1204-3-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1204-4-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1204-0-0x0000000001001000-0x0000000001003000-memory.dmp

Filesize
8KB

Download
memory/1204-26-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1204-2-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/1204-24-0x0000000001001000-0x0000000001003000-memory.dmp

Filesize
8KB

Download
memory/3532-12-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3532-14-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4164-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4164-11-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/4164-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4164-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4852-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download