4291a26c357ca63c452c4dd7081e96eac302cfecda5c0d9c28c1e7e2bd3ba03c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Size

168KB
MD5

21b1aa83f25c211a48af93d3f36c879e
SHA1

9bc88e363e0c6dfc27f49f9ffe7384056b91f331
SHA256

4291a26c357ca63c452c4dd7081e96eac302cfecda5c0d9c28c1e7e2bd3ba03c
SHA512

0b3df7239740e88f0d09c5ca66fd35e78702d4625a95767bd1813058f163db6b1c60951c1c8f7fc91e3e4961c3d8ca66688620e20b377a1e6f83f6dd11ffc988
SSDEEP

3072:F6Z6aMP2uB2mMfy8I1LMSglXrSzSbIQw4DfjE1FUt/GK49xElUcvg0:HtzYmu7ItEuzScr4DfjE1FUtXtP

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{ea2e2158-aac0-5fcd-2251-cfe270de11a2}\\n."	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\clsid	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Token: SeDebugPrivilege	1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Token: SeDebugPrivilege	1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 3456	1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	56
PID 1112 wrote to memory of 3456	1112	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-1-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1112-0-0x000000000041D000-0x0000000000421000-memory.dmp

Filesize
16KB

Download
memory/1112-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1112-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1112-8-0x000000000041D000-0x0000000000421000-memory.dmp

Filesize
16KB

Download
memory/3456-3-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/3456-6-0x0000000002EF0000-0x0000000002EFC000-memory.dmp

Filesize
48KB

Download
memory/3456-9-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download