Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 10:31

General

  • Target

    2208aaa95b499465dad1591035429009_JaffaCakes118.exe

  • Size

    157KB

  • MD5

    2208aaa95b499465dad1591035429009

  • SHA1

    43b2864913c46b70c454aca239eaabc70de569bc

  • SHA256

    d72e099c7c7ddb8533ebbbfe7db8430be5301dd8b54c085a637dcce9b3f87b98

  • SHA512

    da30974b8f483b4ca09ca2666f3c96ec3729fd2435f8cc039ac6d43ba17a9afdee45bc4bb5fda607439e19e7f4f76c9053ec2b8a51fa2edcf4a3ef0715c5854c

  • SSDEEP

    3072:iU1PB0i/7jyEFlIc78wZAXsBVfv5gtE2jAK6ie8rtoukEruSZJX:JBB/7BFOEYXC15gWgX6ieytoud

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:3420
    • C:\Users\Admin\AppData\Local\Temp\2208aaa95b499465dad1591035429009_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2208aaa95b499465dad1591035429009_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:5024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\$ea2e2158aac05fcd2251cfe270de11a2\n

    Filesize

    25KB

    MD5

    031f24073b43717e018ba0c5f62cb0c2

    SHA1

    504008e17d774bdfd3996ce8cf521277ca620ca9

    SHA256

    9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

    SHA512

    c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

  • memory/1320-1-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/1320-2-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1320-9-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1320-10-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/3420-3-0x00000000027D0000-0x00000000027D1000-memory.dmp

    Filesize

    4KB

  • memory/3420-7-0x00000000027D0000-0x00000000027D1000-memory.dmp

    Filesize

    4KB