698ff016bb4f27b60a71cfc0b1957e3398c954bda8453de6836f6bd05414b7ed

Analysis

max time kernel
41s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b41baa10cb45103df21551e7d58ae3e_JaffaCakes118.exe
Size

4.2MB
MD5

1b41baa10cb45103df21551e7d58ae3e
SHA1

ff1287ba7cb4032e7044788c7a12696d51d4bf24
SHA256

698ff016bb4f27b60a71cfc0b1957e3398c954bda8453de6836f6bd05414b7ed
SHA512

f2784fba0e4fa21a8f953230db6d3335f2d3d805e6fbddd55de0f11c83401c5eb57c06ce909c00c91c9d7570127b1330102252be41695533b58b837a3bc4b135
SSDEEP

98304:vmPABu9M1N0fFAo69ve2KthYj/ooMFA7j6oLU:vmPSuT9Ao68TvYj/nMFA7m

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A27B4.exe.exe	.Download-Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A27B4.exe.exe	.Download-Server.exe

Executes dropped EXE 1 IoCs

pid	Process
1596	.Download-Server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b41baa10cb45103df21551e7d58ae3e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1596	.Download-Server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 1596	4568	1b41baa10cb45103df21551e7d58ae3e_JaffaCakes118.exe	81
PID 4568 wrote to memory of 1596	4568	1b41baa10cb45103df21551e7d58ae3e_JaffaCakes118.exe	81
PID 4568 wrote to memory of 1596	4568	1b41baa10cb45103df21551e7d58ae3e_JaffaCakes118.exe	81
PID 1596 wrote to memory of 912	1596	.Download-Server.exe	82
PID 1596 wrote to memory of 912	1596	.Download-Server.exe	82
PID 1596 wrote to memory of 912	1596	.Download-Server.exe	82
PID 912 wrote to memory of 432	912	net.exe	84
PID 912 wrote to memory of 432	912	net.exe	84
PID 912 wrote to memory of 432	912	net.exe	84

C:\Users\Admin\AppData\Local\Temp\1b41baa10cb45103df21551e7d58ae3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b41baa10cb45103df21551e7d58ae3e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe

Filesize
76KB

MD5
ca8c0aca646aae4a7029ae898efc346d

SHA1
785ca48171fd02481769f46d504897f025f42d41

SHA256
67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

SHA512
7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads