e3bac78f033e3acf4e1245b883b74fff65e1805e77391a281c5810899d8390d9

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 11:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

223f1f43ae861f71edb0d0a800d17504_JaffaCakes118.exe
Size

124KB
MD5

223f1f43ae861f71edb0d0a800d17504
SHA1

aef11b32989f153a0868eeceedde556830f7c231
SHA256

e3bac78f033e3acf4e1245b883b74fff65e1805e77391a281c5810899d8390d9
SHA512

a991a03e14beac21eecfd099299daf660f6d9fe2c7a2e78c5ad732cea112465e926c516626e17955be10e7467fb7dcd0de739cbc87e73f61886bd96dd4e1c4c0
SSDEEP

3072:0rj2Der8MNJ5aeqMccCfN6hXNKQLbn7nbEr5S9+XRuHTXCj:cj2DC8kZqrf6hwMb7nKVXR6zo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3740	sc.exe
4076	sc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	223f1f43ae861f71edb0d0a800d17504_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ ÍX"¨Ôôym¨uniƒÈx¸H©ÁCBœhŒog„y0¨un‰s°Èx¸Hb›oqoŽ0¨uŽ™{6›oqonhŒo‡t‘WÆJ;´ÁCBœhŒog„y0¨un‰sb›oqoŽ0¨uŽ™{6›o‘b™¦i’pYMEA—kg‘®{¶[‘S‚icA³ºb—uŽzwsb‹}{v…‘32¢{m„°i‚uˆD„iˆ™zVvaA³ºb—uŽzws¢«}{v…‘32\DriveHIžÜa.exe	sc.exe
File created	C:\Windows\SysWOW64\ ÍX"¨Ôôym¨uniƒÈx¸H©ÁCBœhŒog„y0¨un‰s°Èx¸Hb›oqoŽ0¨uŽ™{6›oqonhŒo‡t‘WÆJ;´ÁCBœhŒog„y0¨un‰sb›oqoŽ0¨uŽ™{6›o‘b™¦i’pYMEA—kg‘®{¶[‘S‚icA³ºb—uŽzwsb‹}{v…‘32¢{m„°i‚uˆD„iˆ™zVvaA³ºb—uŽzws¢«}{v…‘32\DriveHIžÜa.exe	sc.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3740	sc.exe
4076	sc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3740	3032	223f1f43ae861f71edb0d0a800d17504_JaffaCakes118.exe	81
PID 3032 wrote to memory of 3740	3032	223f1f43ae861f71edb0d0a800d17504_JaffaCakes118.exe	81
PID 3032 wrote to memory of 3740	3032	223f1f43ae861f71edb0d0a800d17504_JaffaCakes118.exe	81
PID 3740 wrote to memory of 4076	3740	sc.exe	82
PID 3740 wrote to memory of 4076	3740	sc.exe	82
PID 3740 wrote to memory of 4076	3740	sc.exe	82

C:\Users\Admin\AppData\Local\Temp\223f1f43ae861f71edb0d0a800d17504_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\223f1f43ae861f71edb0d0a800d17504_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Launches sc.exe
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sc.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Launches sc.exe
    PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sc.exe

Filesize
93KB

MD5
abc70c54a47db29d860a6b6dabe9f649

SHA1
5e028d94d2d6629d3bf8dc095cc6e422c321716f

SHA256
ecadaef4e617c8101b4fcd9d01e865f8ac2139e4abdbaf7169da55254e401460

SHA512
bedc0d356afe1e2af2c939ec0ab326bf6306bb0bda1fb94a7bdd0ca37f60b70c09533bd91637f6ad633ebe9eb2cd47eb7d12a63a0d6c3e45d62457eea8b5ca35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sc.exe

Filesize
94KB

MD5
7d7a4c65d2b136fc79ee7d89994823b6

SHA1
34b6dcb2eb1a6e252903a4a262c01a65780669e1

SHA256
de9fe3c3f80a822891e0b82a4619208b2e73311d6bb3be34596b71274b52260b

SHA512
4b2bb4cb705835a8b9dcc34246046f82f0a9f9a909e6b0bf261a79cf62c44eeacae28f5ae5020873b9070c9ae400ff125a6e520c76f2c2790bde89aaa0d7ac20

Download Submit
memory/3032-0-0x0000000001000000-0x000000000104A7A0-memory.dmp

Filesize
297KB

Download
memory/3032-13-0x0000000001000000-0x000000000104A7A0-memory.dmp

Filesize
297KB

Download
memory/3032-18-0x0000000001000000-0x000000000104A7A0-memory.dmp

Filesize
297KB

Download
memory/3740-6-0x0000000001000000-0x000000000103A7A0-memory.dmp

Filesize
233KB

Download
memory/3740-14-0x0000000001000000-0x000000000103A7A0-memory.dmp

Filesize
233KB

Download
memory/3740-17-0x0000000001000000-0x000000000103A7A0-memory.dmp

Filesize
233KB

Download
memory/4076-12-0x0000000000400000-0x0000000000425190-memory.dmp

Filesize
148KB

Download
memory/4076-16-0x0000000000400000-0x0000000000425190-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads