f250f5ec78296a4ee55948ad5c74e1aa3182b1968b75ea00eb48bd39a653caf2

Analysis

max time kernel
129s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 10:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe
Size

57KB
MD5

1aeef7b0422981ffb2cf3892d060d081
SHA1

49c91fc0145fb7980b6ce2d413559436e46ca5e6
SHA256

f250f5ec78296a4ee55948ad5c74e1aa3182b1968b75ea00eb48bd39a653caf2
SHA512

1e3ba484a8bde83ec781666015482ecaac223a8117d59f0b1e4c17ec38fc952cde238bdf96bb9bb05dfe8fe74e429a6d21293d1b0e6f332dd0cc432062522e80
SSDEEP

1536:uK1IsfTaAHin8cmnYtMrFO+ald7IsUVS4l:bfQkYsxQdKVp

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4884	KB00711068.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KB00711068.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\KB00711068.exe\""	1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
880	4884	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	KB00711068.exe
4884	KB00711068.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	KB00711068.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4884	4004	1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe	85
PID 4004 wrote to memory of 4884	4004	1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe	85
PID 4004 wrote to memory of 4884	4004	1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe	85
PID 4004 wrote to memory of 2248	4004	1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe	86
PID 4004 wrote to memory of 2248	4004	1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe	86
PID 4004 wrote to memory of 2248	4004	1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe	86
PID 4884 wrote to memory of 2652	4884	KB00711068.exe	44
PID 4884 wrote to memory of 2652	4884	KB00711068.exe	44

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aeef7b0422981ffb2cf3892d060d081_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Roaming\KB00711068.exe
  "C:\Users\Admin\AppData\Roaming\KB00711068.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 684
    3⤵
    - Program crash
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POS58CE.tmp.BAT"
  2⤵
  PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4884 -ip 4884
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\POS58CE.tmp.BAT

Filesize
286B

MD5
39e1576b6ee0453e4bb4e57965408a40

SHA1
134e90b18f00de55043761210b5c2c907415d444

SHA256
da1962a852354cec29295114c6f573b644d11f7ea4072d8b5f94330d32c49cba

SHA512
8776a11697c53f6e1213d77b35ec9345f676229da26ee9b1b3e48003dd3c66aeec80f94904872ebf80ae1cc2ec747e7a02e16eaa6e94b6d052e4f7973616167a

Download Submit
C:\Users\Admin\AppData\Roaming\KB00711068.exe

Filesize
57KB

MD5
1aeef7b0422981ffb2cf3892d060d081

SHA1
49c91fc0145fb7980b6ce2d413559436e46ca5e6

SHA256
f250f5ec78296a4ee55948ad5c74e1aa3182b1968b75ea00eb48bd39a653caf2

SHA512
1e3ba484a8bde83ec781666015482ecaac223a8117d59f0b1e4c17ec38fc952cde238bdf96bb9bb05dfe8fe74e429a6d21293d1b0e6f332dd0cc432062522e80

Download Submit
memory/4004-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4004-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4004-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4004-2-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/4004-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4004-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4884-9-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4884-11-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4884-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4884-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download