c6527ac90bb3bef526f3c0fd59850bc7bd0c689a4d128a1cdcfd7da010adc16f

Analysis

max time kernel
92s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 19:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
Size

14KB
MD5

2387ddf6c1e8f9e34720e594aeca703c
SHA1

4fbba65730e48e204445762cd507aee1b130342c
SHA256

c6527ac90bb3bef526f3c0fd59850bc7bd0c689a4d128a1cdcfd7da010adc16f
SHA512

1077923125987ad44c30f565cc3da270d36dae0e76ab0083592a5dc82796f70ca343b881d183d6a683b4e883911adb8c190577053803dcde9d1aa0f25f2bab9c
SSDEEP

192:qzUNcknUK9NrAW58dG3Di+gmWVGnTnohnznQu6brA+eayAVR2bxATE0fsA:tckUKzifdVGTnmnsne6EmTEHA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vjioftkb.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}"	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vjioftkb.tmp	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vjioftkb.tmp	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vjioftkb.nls	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment"	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\vjioftkb.dll"	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4836	2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe	83
PID 2368 wrote to memory of 4836	2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe	83
PID 2368 wrote to memory of 4836	2368	2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2387ddf6c1e8f9e34720e594aeca703c_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\CB7E.tmp.bat
  2⤵
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CB7E.tmp.bat

Filesize
207B

MD5
111a9256b743d5c8d573fe0480fd6b63

SHA1
b7601bdee0f72c90c1d530b6192b211bc6c719ef

SHA256
de25244b9647d0992c4b68881f4555c1d23394226d21f4731d3dc0bfa92fd861

SHA512
36c067f2f073b54586e4f3fdda90e85e5a2c7d3ad90718ac8197236a30930c594d9be348fb4e56568a04c9811cb19096a9f1f57c60e1b3e9fd8aaedd432afc8e

Download Submit
C:\Windows\SysWOW64\vjioftkb.nls

Filesize
428B

MD5
a7a877b803cee40c3f2a49e201d99499

SHA1
d6ae66238ba488af6b5211ffa596f85f727eee82

SHA256
6b8cbcff99a72eac167c4ca77eac84d845a573219e31991903e5a056f36e6151

SHA512
0e3825e1b3fb236c92cd25207061bb6cae635674f7c57510b48c51fe44a52725f3001ae72d1f1756ea829bfe14a8d7e04790e1cedca747a10935be84ffb10f3a

Download Submit
C:\Windows\SysWOW64\vjioftkb.tmp

Filesize
2.0MB

MD5
ca9c1a2ced582a9cc46ae1c1a85b2417

SHA1
63b1c0f5741cc162f867b4c7ad9e8a78c4c0c3bc

SHA256
f221462f3f2febaf8983c351d3e91a9cf585e368cddeeb93ef37e663dc71b742

SHA512
897821d8dd34b9ab574e496920d47c49379865dd2a4c0d6b941c35ec073096102050b19dbeb63e5e30e0a2863784a67bcf256386a2a4a0b2e46b84357ccb0e4a

Download Submit
memory/2368-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2368-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download