e048c53f51d4a2fd1076717353b1de92fdb778f7eb8b517aa4cbcd5373b5ce64

Analysis

max time kernel
128s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
Size

13KB
MD5

163a231e3e1ef7611e0a189c7fa20296
SHA1

e6aea52cab2c5419ffd95f2d6eff721b1c1e6afe
SHA256

e048c53f51d4a2fd1076717353b1de92fdb778f7eb8b517aa4cbcd5373b5ce64
SHA512

992af61c0ba2c5d8f15421a3f5f1b4c996d526275f7f6f43b7cb017124d7d0d93bcd841ca8252290d828f95616125bed119c1fe8cf588f8e670e3bb6b855fe4a
SSDEEP

192:kmIFYOjh2hJA9rvfGBHGt1R3YUkcYCxiACb+tKFKokBPYYHLYao3szQEyjjjaFUW:kmI6AoJwfGBHGFvxFCbcRYKzvoi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dispexcb.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dispexcb.tmp	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.tmp	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.nls	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\dispexcb.dll"	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 5076	1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe	94
PID 1196 wrote to memory of 5076	1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe	94
PID 1196 wrote to memory of 5076	1196	163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\163a231e3e1ef7611e0a189c7fa20296_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ABC1.tmp.bat
  2⤵
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABC1.tmp.bat

Filesize
207B

MD5
6e62a1f32805bbba10a24aa05bbc7c95

SHA1
ef5090c0ebeb16cc9ac445aadc42a06cf271796d

SHA256
b67d4e7e2651ff1c704b97eeedafd07b09cc3cbc039156939dc09a4f62ec7afd

SHA512
e1850544202344eb20334c7bbc85ab88e401cefa2a0637963c4a00c7e6a200f28b86760d386a62395ac357246c7387d4595aca50d921e6eb13ead77283fcfe4b

Download Submit
C:\Windows\SysWOW64\dispexcb.dll

Filesize
627KB

MD5
b9b0cd94ffafab7ccd8a377d9a74eb28

SHA1
5fdba4e47f794e1c718e9510dc92b1cc66b0ce86

SHA256
61a23050a5debcd961caf96a0986eb3144b54f986c6a8b02989be4660c91e6ae

SHA512
c81581888e5c43b827d2ae7c2a1e67dba1738385dd42cf20da6fa42fdf4c1676370382d0fa65e6c15dda92186e5e618704fc035150324f7559326a6c7890d2f5

Download Submit
C:\Windows\SysWOW64\dispexcb.nls

Filesize
428B

MD5
376d39c1f584196deed675a8fcdd5ac8

SHA1
7ae9917b886e636e6b1ceb32e79690061f681f0a

SHA256
2e4defe7ffadb416b77549cbbb0162459e186b81f399d64982f659ff5b0d5f8e

SHA512
7e6ff25110c6ec41af0f53cd3bea50380366a53756f0956686e206295d464d80f1668c197b36bc8884f6f4336a4beaf2836fea3b9dbc9c80385f26ae51712a77

Download Submit
memory/1196-17-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download
memory/1196-21-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download