69ced07aace8b28b2c8b10ee316e95099c12b1214b46916b3ce120214e93230c

Analysis

max time kernel
115s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe
Size

42KB
MD5

19b1d13740383d5ef796b22c69ecb912
SHA1

6aa9e26ddf8c6d2557ec1d2d482bb541224c7d56
SHA256

69ced07aace8b28b2c8b10ee316e95099c12b1214b46916b3ce120214e93230c
SHA512

33fceeb9ad4131689d5783c7969e0dbe65bd6a76487b51da69814c2ccbb3f7064caf0ca39b8bc0ab1b1db0d4e5d07b793b4911ac80c708c2b86f85b48f644751
SSDEEP

768:JLOSDHx0XCobC4T9KFKXRqDqi8Qp02D0g8pPJl5LSnD:JLV72q5IXnLQpX0g8pP/dSD

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kusn33sd\ImagePath = "C:\\Windows\\system32\\kusn33sd.exe -j"	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	kusn33sd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kusn433sd3.dll	kusn33sd.exe
File created	C:\Windows\SysWOW64\kusn33sd.exe	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kusn33sd.exe	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kusn33sd.exe	kusn33sd.exe
File created	C:\Windows\SysWOW64\KillMe.bat	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	kusn33sd.exe
2484	kusn33sd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3296	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 3008	3296	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe	98
PID 3296 wrote to memory of 3008	3296	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe	98
PID 3296 wrote to memory of 3008	3296	19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19b1d13740383d5ef796b22c69ecb912_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\KillMe.bat
  2⤵
  PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3800,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
1⤵
PID:5064

C:\Windows\SysWOW64\kusn33sd.exe
C:\Windows\SysWOW64\kusn33sd.exe -j
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KillMe.bat

Filesize
239B

MD5
7a643aa945bfd73621b1fd5ca2474117

SHA1
6f30a945cce14151819d7feb6dbad796944c5227

SHA256
77134906e250d7da86405969913c35f6feb4b4ea2671e3b101fef9aaaf325ec9

SHA512
4d4726af35249661f78e061ff0f6ef65fd2f393f047077397b3ec95e1d79740c89b26725b7f87b60907cbef9eae03f5c3609c4134347dea89e958b8e5fb07648

Download Submit
C:\Windows\SysWOW64\kusn33sd.exe

Filesize
42KB

MD5
19b1d13740383d5ef796b22c69ecb912

SHA1
6aa9e26ddf8c6d2557ec1d2d482bb541224c7d56

SHA256
69ced07aace8b28b2c8b10ee316e95099c12b1214b46916b3ce120214e93230c

SHA512
33fceeb9ad4131689d5783c7969e0dbe65bd6a76487b51da69814c2ccbb3f7064caf0ca39b8bc0ab1b1db0d4e5d07b793b4911ac80c708c2b86f85b48f644751

Download Submit
memory/2484-8-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2484-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2484-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3296-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3296-1-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3296-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3296-3-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download