6b1a768321d9311066e1dfb8828144b996eed69defa85d68079d3a3254722395

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe
Size

24KB
MD5

212f4fbd9f90e7517f64bd55f0aee268
SHA1

9220125d3f83714dbb46cb8d8832dbdac14d6d41
SHA256

6b1a768321d9311066e1dfb8828144b996eed69defa85d68079d3a3254722395
SHA512

70d3818f81b111937aa9a7af8890bd4c936ab0cc274553e3e498570ac63c8ef368fa3e2c343abd63dc306395f565fd07177ed5307ca27edb915ce7aac30b8226
SSDEEP

384:mgW/WoVXaGOuJvv2ptnSbADepPhY2mD9zjtRFwIQMJE2A4ysCwSynBzb5VXXMMgE:Ua6vvMsbyeHYzD9ftGdB4y9GJLM+

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FC326416\ImagePath = "C:\\Windows\\system32\\331CD3DA.EXE -a"	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	331CD3DA.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\331CD3DA.EXE	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\331CD3DA.EXE	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\331CD3DA.EXE	331CD3DA.EXE
File created	C:\Windows\SysWOW64\EA992846.DLL	331CD3DA.EXE
File created	C:\Windows\SysWOW64\del.bat	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4744	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe
4744	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe
2640	331CD3DA.EXE
2640	331CD3DA.EXE
2640	331CD3DA.EXE
2640	331CD3DA.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1904	4744	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe	82
PID 4744 wrote to memory of 1904	4744	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe	82
PID 4744 wrote to memory of 1904	4744	212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\212f4fbd9f90e7517f64bd55f0aee268_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\del.bat
  2⤵
  PID:1904

C:\Windows\SysWOW64\331CD3DA.EXE
C:\Windows\SysWOW64\331CD3DA.EXE -a
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\331CD3DA.EXE

Filesize
24KB

MD5
212f4fbd9f90e7517f64bd55f0aee268

SHA1
9220125d3f83714dbb46cb8d8832dbdac14d6d41

SHA256
6b1a768321d9311066e1dfb8828144b996eed69defa85d68079d3a3254722395

SHA512
70d3818f81b111937aa9a7af8890bd4c936ab0cc274553e3e498570ac63c8ef368fa3e2c343abd63dc306395f565fd07177ed5307ca27edb915ce7aac30b8226

Download Submit
C:\Windows\SysWOW64\del.bat

Filesize
233B

MD5
c11513e32e84c9834185b254270b6cd9

SHA1
70a5491d439ad84af8eb5f75497e4a229f5211d9

SHA256
e59f1ae6c113a3b317d41c9b383c5b973171ee6be91c65cf8404fdf3b08363b8

SHA512
e56f1eaedcd2de32af999434439e8d22484bc1d6a86eeb03d9f79bc92da9250690e9471b92d9463b4ad367de441ccbba34edd017027db5f10ea4bbd0f15a328b

Download Submit
memory/2640-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2640-6-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2640-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4744-1-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/4744-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4744-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download