fc6fcf2b00f547b840fa95aad4f84522ee40d45f228bd3ceb7262757a46a0063

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe
Size

1.3MB
MD5

1bf1d3d8762c1070831846aaff5a0ca1
SHA1

1c44771cee5123efd8dcd40cb524bd2d571b834d
SHA256

fc6fcf2b00f547b840fa95aad4f84522ee40d45f228bd3ceb7262757a46a0063
SHA512

f0a81e635f08cdb20e70bd4b5c923e6f0ed719f4ac35724ed37f7d205b57ed4f20f4f8ef5802963dcac537571968b9bd18b322d376d215ea443c32f56a2cfadb
SSDEEP

24576:F56m/BbDiBpCHPodc0NgJFG1Wnqxr5l37iNLopSkUTNnr30MmVykeA:F56m/1DiBAUaGCSltMo8kytkr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4356	ttsy.exe
4196	Windows XP-087 .exe
704	3D Studio Max.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\3D Studio Max.exe	Windows XP-087 .exe
File opened for modification	C:\Windows\3D Studio Max.exe	Windows XP-087 .exe
File created	C:\Windows\GUOCYOKl.BAT	Windows XP-087 .exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4356	ttsy.exe
4356	ttsy.exe
4356	ttsy.exe
4356	ttsy.exe
4356	ttsy.exe
4356	ttsy.exe
4356	ttsy.exe
4356	ttsy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	Windows XP-087 .exe
Token: SeDebugPrivilege	704	3D Studio Max.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
704	3D Studio Max.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1328	3216	1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe	81
PID 3216 wrote to memory of 1328	3216	1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe	81
PID 3216 wrote to memory of 1328	3216	1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe	81
PID 3216 wrote to memory of 4152	3216	1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe	82
PID 3216 wrote to memory of 4152	3216	1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe	82
PID 3216 wrote to memory of 4152	3216	1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe	82
PID 1328 wrote to memory of 4356	1328	cmd.exe	85
PID 1328 wrote to memory of 4356	1328	cmd.exe	85
PID 1328 wrote to memory of 4356	1328	cmd.exe	85
PID 4152 wrote to memory of 4196	4152	cmd.exe	86
PID 4152 wrote to memory of 4196	4152	cmd.exe	86
PID 4152 wrote to memory of 4196	4152	cmd.exe	86
PID 704 wrote to memory of 2912	704	3D Studio Max.exe	89
PID 704 wrote to memory of 2912	704	3D Studio Max.exe	89
PID 4196 wrote to memory of 4696	4196	Windows XP-087 .exe	90
PID 4196 wrote to memory of 4696	4196	Windows XP-087 .exe	90
PID 4196 wrote to memory of 4696	4196	Windows XP-087 .exe	90

C:\Users\Admin\AppData\Local\Temp\1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bf1d3d8762c1070831846aaff5a0ca1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\ttsy.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\ttsy.exe
    C:\Users\Admin\AppData\Local\Temp\\ttsy.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\Windows XP-087 .exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\Windows XP-087 .exe
    "C:\Users\Admin\AppData\Local\Temp\\Windows XP-087 .exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT
      4⤵
      PID:4696

C:\Windows\3D Studio Max.exe
"C:\Windows\3D Studio Max.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:704
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows XP-087 .exe

Filesize
564KB

MD5
100646dc15881287b7993ee6b5abeab5

SHA1
9d26f5fd66b4164c18abd6b4e2da1f5095cb14d6

SHA256
b0c359a9f7c774b4d808be3eb89530b5cc48f876f66f1f86897c147eda60353c

SHA512
f62e3da861232c7d68b4924cccd76d7b22191b0f3c895d9799166f353f3b1134f78b32b3ed28944d4e80b3571de63950551fe3d7877918267d61c94d3e7cfba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttsy.exe

Filesize
664KB

MD5
174bdd918a7deeb4a390c5b29f82f2a3

SHA1
480fc28d79b8beffce8a61c35b94ad83240c9eea

SHA256
f515c30b08c1048378ba101a60172f80ca9a1caa00e42b0ad8448f088fcdb659

SHA512
21e315a16d32287d2111a51a83b72da0bfe13b3a286316ea430d8c5cf4739209bfdbfea44112c685a43d2e914f6966da2ee80b4d2db72fe2ed3358863ef7ddb6

Download Submit
C:\Windows\GUOCYOKl.BAT

Filesize
156B

MD5
a651ffa9f54ee3d10a35d1e24b647353

SHA1
dcd2d98269d3af9e5e7adfd3f0f7c852634a0f04

SHA256
e08cc722fab7507183aff05a92c3e9bf86cf94e97a5d23b081a06995dbe9303f

SHA512
c33a8092aa033ffe4680dab0c293ffca4fb6e61cb4f61f217311599123df676cbc15ac3bd223f5895a31c0281e87d0c0139b519a4fbf375de1e71a11cad0c508

Download Submit
memory/704-45-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-50-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/704-63-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-61-0x0000000000EA0000-0x0000000000EEB000-memory.dmp

Filesize
300KB

Download
memory/704-59-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-57-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/704-62-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-42-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-46-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/704-41-0x0000000000EA0000-0x0000000000EEB000-memory.dmp

Filesize
300KB

Download
memory/704-47-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/704-48-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/704-49-0x0000000001620000-0x0000000001621000-memory.dmp

Filesize
4KB

Download
memory/704-64-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-44-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-43-0x0000000001670000-0x0000000001770000-memory.dmp

Filesize
1024KB

Download
memory/704-40-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3216-2-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/4196-36-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4196-34-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/4196-19-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4196-18-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/4196-17-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4196-16-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4196-15-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4196-14-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/4196-13-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4196-22-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/4196-24-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download
memory/4196-25-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/4196-30-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/4196-31-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/4196-32-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4196-21-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4196-35-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/4196-37-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/4196-33-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4196-29-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/4196-53-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4196-54-0x00000000022D0000-0x000000000231B000-memory.dmp

Filesize
300KB

Download
memory/4196-28-0x0000000002B00000-0x0000000002C00000-memory.dmp

Filesize
1024KB

Download
memory/4196-10-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4196-23-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/4196-20-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/4196-12-0x00000000022D0000-0x000000000231B000-memory.dmp

Filesize
300KB

Download
memory/4356-11-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4356-56-0x0000000000400000-0x00000000004E8A08-memory.dmp

Filesize
930KB

Download
memory/4356-7-0x0000000000400000-0x00000000004E8A08-memory.dmp

Filesize
930KB

Download