6590b64fb6af5805c077d565fbf033bb2c16e9c6a9b60f4eb4b9cb0c497b067b

Analysis

max time kernel
79s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
Size

10KB
MD5

18f47e0c7573514b97a4126b014a4bff
SHA1

ce2b0efe6e028250fb4f1cfd44cb54c8bb2dbbae
SHA256

6590b64fb6af5805c077d565fbf033bb2c16e9c6a9b60f4eb4b9cb0c497b067b
SHA512

ce50d82e087c0d5d7988bead4d04669179b2f37ec371c38bd37508f8475e3277aa60320b57b1064e6fa08a252479c63082dee86f41c165f718607a696ad04eb8
SSDEEP

192:Kd+AcKf9ONc7JDB/6Y8UFDB0tYLKecS1EeluhrPOgfKKI:GJfMNc1pNhB0iLKeqelwzNKKI

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlso.exe"	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3028	1328	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 3440	1328	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 392
    3⤵
    - Program crash
    PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1328 -ip 1328
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tlso0.dll

Filesize
9KB

MD5
9c5fc1eac585d9e49f87870a1251c3ad

SHA1
104aa1025352df10d3f8b4e9550af568ace3f311

SHA256
19e29a4e4580080df2d1d89486c8e1a0ae63c9fafd354dfda3c68d460728c373

SHA512
48a61102f954462da9b0de6ad7d506c146de497cde21fec74963e2bb6110bc9d215e812989efcc0cf824e84e1db23e38b0f9b8cf30a8d12c9c8c9b94ff9db42e

Download Submit
memory/1328-5-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1328-6-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download