5a149525bb861d9640082adb4e845e384a909b58737e1a7becb0048743777d0e

Analysis

max time kernel
51s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe
Size

192KB
MD5

1a444756aac5041a41cc00e6819153a6
SHA1

5e177a7ebaa2cc983a2bb0951712916fd0985e21
SHA256

5a149525bb861d9640082adb4e845e384a909b58737e1a7becb0048743777d0e
SHA512

46762924d836066ebdbf62a7787acc730c0afba99b12d07b086303ba93379d200619814ae39437aa30f15bf14b29098e051707498afbfbd30c9e88ef7637219d
SSDEEP

3072:yPKJnMKJfOydUlIyVcsj5RXQhw0AE6TsuZfs:yiJsy+eyu+XSAnwuZk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	cojywr.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\gcojy	cojywr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\gcojy	cojywr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	cojywr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cojywr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	cojywr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\gcojy\\command	cojywr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cojywr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
924	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3664	1256	1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe	81
PID 1256 wrote to memory of 3664	1256	1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe	81
PID 1256 wrote to memory of 3664	1256	1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe	81
PID 3664 wrote to memory of 2772	3664	cmd.exe	83
PID 3664 wrote to memory of 2772	3664	cmd.exe	83
PID 3664 wrote to memory of 2772	3664	cmd.exe	83
PID 3664 wrote to memory of 924	3664	cmd.exe	84
PID 3664 wrote to memory of 924	3664	cmd.exe	84
PID 3664 wrote to memory of 924	3664	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eaunujy.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\cojywr.exe
    "C:\Users\Admin\AppData\Local\Temp\cojywr.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2772
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cojywr.exe

Filesize
144KB

MD5
277a5f822b3450e670c6e81bed9ba51d

SHA1
f0cba07e9b084c341090f8cc506c8638e5577700

SHA256
2237a913a9b57afe24530302df127cdefc057834e26b85b10ede78dc66cf957d

SHA512
2085e000fddba74bba82b2fe23752803f0a0fbba1d3337c9f6c15d600e0a68c5f179d1f3165559e8be7a313552a55e1c71f361d711a1dbcf4734dafa2df1e042

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaunujy.bat

Filesize
124B

MD5
e8eadcf1ee7cf4d18be4faee1d281255

SHA1
9250979a434e755521b5ace94444ce5f22c8caf7

SHA256
e760f3894cc45d1f49c6509e18c157eedba3c7647ed6580db3fb8217ff3c14f9

SHA512
10ef41945223dc8edc28ecc2fa1b7dc7e5a775279ddfb7324c2a812aeb6f330c7fd70590e44e616b237d9150bf0ae77198ab58fe2b6129fe9c1d0d60c94e0621

Download Submit
C:\Users\Admin\AppData\Local\Temp\fduoso.bat

Filesize
170B

MD5
bb2ec21231f81a4d7f0fc2b74123df75

SHA1
21791df705bb3ecd92cc175eae3be5e059a26bad

SHA256
394eab6d6d578d740c6f7b22a5992fd11c874b3547022f3c3ba9957bd1d53307

SHA512
84e2071a8edffbb9fe18e3eba731aed7e16bb718184735a57a9a1e10bf0b4e8d5236bc29a75e2ea6b8447461040bbaeb1486cea5cf7211c9078f3e4365379ca1

Download Submit