375ff1105cd20b683f441014ba8988b1e15327c6bf3457a971e3629c6afe022f

Analysis

max time kernel
92s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Size

13KB
MD5

1b2f8831502828b78c1b695d74c67b38
SHA1

00285aeb117e125ef5cf1bdb240b758f603f037e
SHA256

375ff1105cd20b683f441014ba8988b1e15327c6bf3457a971e3629c6afe022f
SHA512

d7b22f7997739b9edf19f46bcc74f93899413748200276b0fe07320c3d1500210dcbae4f46bd44f9b11054814428c71312430bad3b8c8c50cdcaef20a1e0a4d8
SSDEEP

384:emWDlkSA2Ji8MJpHX7P8dE00zK2G7rfLD4GEFq/:emQfKpHuEZzKZTD4GEF0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll = "{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}"	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\adsntzt.tmp	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ = "C:\\Windows\\SysWow64\\adsntzt.dll"	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ThreadingModel = "Apartment"	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1060	1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe	89
PID 1460 wrote to memory of 1060	1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe	89
PID 1460 wrote to memory of 1060	1460	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\D10B.tmp.bat
  2⤵
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D10B.tmp.bat

Filesize
207B

MD5
01211861e40903ef04d795276c2c743a

SHA1
8957daa799946083d071d4dec4fa5786c4c17ec2

SHA256
34615175966b19796156173fcae218affaeb5648a93e05498adda6d0710c45b2

SHA512
f6b3d15d9f7c05f974ed3200fc5d0734cf908ce5c5a52446342eceab6826c75314233166632627d5f1733fcbf349d23d03db1a57eb41dfdfc6fa937d2340513f

Download Submit
C:\Windows\SysWOW64\adsntzt.tmp

Filesize
957KB

MD5
8b8d5fdbcd4cf2b79abe588cd975a9cc

SHA1
0104685c9bd808f28c02900fb5339acecd7b4809

SHA256
bb71db1b472bcffdcb4f87fb733ffd6617032c773380b095abddd895df03da5d

SHA512
88cf81c6a449396e8ff22b9a99ddb64217e0e9fe7b9637a2b785b41bd90594c5a3d0d328f5fd15e3f73244ead23b1d7e8dd8fb7570d5385b8b0d3ad731c00a2a

Download Submit
memory/1460-13-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/1460-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download