85dc9f61c3f382c1e29dda0300f0cb360261a496ef19f82e97201d83b3d5e743

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 16:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16a708129d03a707f6e3e94e0ca6628a_JaffaCakes118.exe
Size

978KB
MD5

16a708129d03a707f6e3e94e0ca6628a
SHA1

44b419ae98820e646a8a4ce0282e3b4879749d09
SHA256

85dc9f61c3f382c1e29dda0300f0cb360261a496ef19f82e97201d83b3d5e743
SHA512

3175e84a49edaa6dacc3709576bb66b7090caad6c0f9dbcb65813ad3dc1286ab5144abdc146db0fe0861d345aaa35127357b2b6fdc70781578afcb2cbbdfb028
SSDEEP

24576:YAHnh+eWsN3skA4RV1Hom2KXMmHarNI/D5:fh+ZkldoPK8YarN8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
532	capauthz.exe
1508	capauthz.exe
2188	capauthz.exe
3596	capauthz.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4012	icacls.exe
3048	icacls.exe
1428	icacls.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023449-0.dat	autoit_exe
behavioral2/memory/1436-1-0x0000000000A70000-0x0000000000B6B000-memory.dmp	autoit_exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1436	16a708129d03a707f6e3e94e0ca6628a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 980	1436	16a708129d03a707f6e3e94e0ca6628a_JaffaCakes118.exe	80
PID 1436 wrote to memory of 980	1436	16a708129d03a707f6e3e94e0ca6628a_JaffaCakes118.exe	80
PID 1436 wrote to memory of 980	1436	16a708129d03a707f6e3e94e0ca6628a_JaffaCakes118.exe	80
PID 980 wrote to memory of 1428	980	cmd.exe	83
PID 980 wrote to memory of 1428	980	cmd.exe	83
PID 980 wrote to memory of 1428	980	cmd.exe	83
PID 980 wrote to memory of 4012	980	cmd.exe	85
PID 980 wrote to memory of 4012	980	cmd.exe	85
PID 980 wrote to memory of 4012	980	cmd.exe	85
PID 980 wrote to memory of 3048	980	cmd.exe	86
PID 980 wrote to memory of 3048	980	cmd.exe	86
PID 980 wrote to memory of 3048	980	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\16a708129d03a707f6e3e94e0ca6628a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16a708129d03a707f6e3e94e0ca6628a_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1428
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3048

C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
1⤵
- Executes dropped EXE
PID:532

C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
1⤵
- Executes dropped EXE
PID:1508

C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
1⤵
- Executes dropped EXE
PID:2188

C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe
1⤵
- Executes dropped EXE
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\amd64_wpf-uiautomationprovider_31bf3856ad364e35_10.0.17134.1_none_ea1d5dacf41c4901\capauthz.exe

Filesize
978KB

MD5
16a708129d03a707f6e3e94e0ca6628a

SHA1
44b419ae98820e646a8a4ce0282e3b4879749d09

SHA256
85dc9f61c3f382c1e29dda0300f0cb360261a496ef19f82e97201d83b3d5e743

SHA512
3175e84a49edaa6dacc3709576bb66b7090caad6c0f9dbcb65813ad3dc1286ab5144abdc146db0fe0861d345aaa35127357b2b6fdc70781578afcb2cbbdfb028

Download Submit
memory/1436-1-0x0000000000A70000-0x0000000000B6B000-memory.dmp

Filesize
1004KB

Download