16b6315121e9fe0dc284594d3f153b5e68de432ce4655beb37a382c8531b3544

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
Size

418KB
MD5

20fead844c31288d236d5dce100dfca6
SHA1

525afc9c9f9f2acbf85e80f51fe5057b5f94407a
SHA256

16b6315121e9fe0dc284594d3f153b5e68de432ce4655beb37a382c8531b3544
SHA512

2884c94a9c4f1c1b9ae382283d5a9bef154be7753f609c41ede4ac9f47f09b7ffd01ebc4379e9dc5f4bea5cd839a415be36784cb57d619ea110ae6d32e644a79
SSDEEP

6144:z1LDhBEUQ2G7E+udcoPv5n68ucAIRRNSoNbh9tjyqhDzyBkfTT9MQrFbF4mp:z1fhtQYh6VcASRNSUt9QifTT2QrP4

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2448	kKg21500hImMf21500.exe

Executes dropped EXE 2 IoCs

pid	Process
860	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/648-6-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/860-19-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/860-20-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/648-21-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2448-28-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2448-31-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2448-38-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kKg21500hImMf21500 = "C:\\ProgramData\\kKg21500hImMf21500\\kKg21500hImMf21500.exe"	kKg21500hImMf21500.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
860	kKg21500hImMf21500.exe
860	kKg21500hImMf21500.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
860	kKg21500hImMf21500.exe
860	kKg21500hImMf21500.exe
860	kKg21500hImMf21500.exe
860	kKg21500hImMf21500.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
Token: SeDebugPrivilege	860	kKg21500hImMf21500.exe
Token: SeDebugPrivilege	2448	kKg21500hImMf21500.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2448	kKg21500hImMf21500.exe
2448	kKg21500hImMf21500.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 860	648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe	88
PID 648 wrote to memory of 860	648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe	88
PID 648 wrote to memory of 860	648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe	88
PID 648 wrote to memory of 2448	648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe	89
PID 648 wrote to memory of 2448	648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe	89
PID 648 wrote to memory of 2448	648	20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648
- C:\ProgramData\kKg21500hImMf21500\kKg21500hImMf21500.exe
  "C:\ProgramData\kKg21500hImMf21500\kKg21500hImMf21500.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\ProgramData\kKg21500hImMf21500\kKg21500hImMf21500.exe
  "C:\ProgramData\kKg21500hImMf21500\kKg21500hImMf21500.exe" "C:\Users\Admin\AppData\Local\Temp\20fead844c31288d236d5dce100dfca6_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4432,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kKg21500hImMf21500\kKg21500hImMf21500

Filesize
192B

MD5
ace1b18b965074442fa787fb2bd68658

SHA1
560ef12f13b61ea3dffec50b4a51dbf8d1fca7d5

SHA256
3f75bd46e01f2603bcd7eecb1e13dfa84eac2f2a1aafb5954714bec5c22f2072

SHA512
5595cbcb94368822ac86fdc3d7aaa08cef4dc6d330c87b9c208ae0dbcf27ab180253b35611353c271db3b79200fbac632c98739ed5376e35120f34f8269b9fb1

Download Submit
C:\ProgramData\kKg21500hImMf21500\kKg21500hImMf21500.exe

Filesize
418KB

MD5
0bde04852a838e198a30bb8477b9d32f

SHA1
b73f8327cf46983ba4548c193a414cf113407ec6

SHA256
f69907e547c546e1c9379e3bfd6492d1a7e2cdd09d38fae7698554823d4739ee

SHA512
bce280a4426734bcd1529bfef2a0cf877a721426e47414efcbaf9155c7d1e362867e8d510931001e5c62b2b2198b0c51cfe8d8483cad7acf99a930e165aa16e1

Download Submit
memory/648-0-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/648-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/648-21-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/860-19-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/860-20-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2448-28-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2448-31-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2448-38-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download