b3b954ac829358338226cf9b59b2ecaa350047a81dd771217a82b41a78274b0e

Analysis

max time kernel
133s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe
Size

1.4MB
MD5

15609fe3ff3cf23e542cda5e4f691eea
SHA1

dd43719b6d40e4ccd7e639e353b24db8571bfae6
SHA256

b3b954ac829358338226cf9b59b2ecaa350047a81dd771217a82b41a78274b0e
SHA512

abf064c6f40feb7f3ef4b4386742aaf7e02b444f8613e0cd35ce4caf406de664bff5f390657509544b72ee01fb28402e9d47ec1300491f92d8cd9e2797045cc8
SSDEEP

24576:p4XpDTf33M5wfpN8WWORDhd3qGNJDY0SqThbULrfSqngxwR6cTl7GzblAiKoQgGM:ipDLsORNNWOv3mrqThbUSqgxwv63KNLg

Score

7^/10

persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	autorun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	autorun.exe

Executes dropped EXE 2 IoCs

pid	Process
4004	forum.exe
4120	autorun.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4120	autorun.exe
Token: SeIncBasePriorityPrivilege	4120	autorun.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4120	autorun.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4004	4880	15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe	83
PID 4880 wrote to memory of 4004	4880	15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe	83
PID 4880 wrote to memory of 4004	4880	15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe	83
PID 4880 wrote to memory of 4120	4880	15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe	84
PID 4880 wrote to memory of 4120	4880	15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe	84
PID 4880 wrote to memory of 4120	4880	15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15609fe3ff3cf23e542cda5e4f691eea_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\forum.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\forum.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
1.3MB

MD5
2f143639e4afc436860ba12c2d2631fe

SHA1
04e865278ef70cc9529ccc03a15e283dfef99088

SHA256
4d32a2c109eb60f5e438465e42eeed96780f93e44c294ee3f4c29663f98211bd

SHA512
074bb78edfab0a212d280008b38fa262b6f991c403ee6c5b550d24930bbfe1613a57a84e078d1b7be1187a0461e2b0b9cde47210a66db3af9f56948af0d31fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\forum.exe

Filesize
88KB

MD5
462c2cdf56be058a2051481da7d6ea38

SHA1
6533fac71215b63f24924734c85651d25bd06629

SHA256
1dd6d2e0923651d6e96e85154ab7347ea70af85b1146a770f530b14a33add02e

SHA512
7241ddb290259916bcacfc66bfb36169991b75e0aeac37f7de1c349dae457cb787d3efdef7ded43800bbf3d3e98ccc173dbca7fef5b9d59bf23817bb477cfe01

Download Submit
memory/4004-7-0x00000000006E0000-0x00000000006F7000-memory.dmp

Filesize
92KB

Download
memory/4004-8-0x00000000024F0000-0x0000000002507000-memory.dmp

Filesize
92KB

Download
memory/4004-18-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4120-32-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/4120-28-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/4120-29-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/4120-23-0x00000000008A0000-0x00000000008D9000-memory.dmp

Filesize
228KB

Download
memory/4120-35-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/4120-38-0x00000000008A0000-0x00000000008D9000-memory.dmp

Filesize
228KB

Download
memory/4120-36-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/4120-37-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/4120-33-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download
memory/4120-39-0x00000000008A0000-0x00000000008D9000-memory.dmp

Filesize
228KB

Download
memory/4120-41-0x0000000000400000-0x00000000007B9000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads