1a553e660a6f8f287ebd87c312518a1101d2e659b3e1938c58ce8e1030b8561f

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe
Size

184KB
MD5

24056d080b7169658f1321afcac4f34e
SHA1

12cbfc2bcea145ce8522082d648d24026ecf82a0
SHA256

1a553e660a6f8f287ebd87c312518a1101d2e659b3e1938c58ce8e1030b8561f
SHA512

678c98c87de18ea232a6ec2ba8f394639477e5309ccff86ccc3325b4a7ecbe39e8b3f5e2d49ce795568f6c7bb926360c997074e8a22edfccfdf16ebf4426d359
SSDEEP

3072:gZMB9JdoHmoeyced9wh0qDUOv31VI07ialpqxVyxEiFX:+MkHmotf7fqD5w0GWfx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3076	hsspsr.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	hsspsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	hsspsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	hsspsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ghssp\\command	hsspsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	hsspsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\ghssp	hsspsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ghssp	hsspsr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3184	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 2608	3336	24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe	82
PID 3336 wrote to memory of 2608	3336	24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe	82
PID 3336 wrote to memory of 2608	3336	24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe	82
PID 2608 wrote to memory of 3076	2608	cmd.exe	84
PID 2608 wrote to memory of 3076	2608	cmd.exe	84
PID 2608 wrote to memory of 3076	2608	cmd.exe	84
PID 2608 wrote to memory of 3184	2608	cmd.exe	85
PID 2608 wrote to memory of 3184	2608	cmd.exe	85
PID 2608 wrote to memory of 3184	2608	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\akasuqd.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\hsspsr.exe
    "C:\Users\Admin\AppData\Local\Temp\hsspsr.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:3076
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akasuqd.bat

Filesize
124B

MD5
10887a3501eda99e6dd8788a675982d4

SHA1
7c8eb9cd8ce1bc0143d23d3f8cdaed0c6df3dd80

SHA256
10cf6fe25b5709b19867f936fe5a1b8ddb80bdb6f1891d31efbebfd71867eaaf

SHA512
864e7982b185da54e23b5ff6547f54ecb585ce56b72a1e86a8ad09c0a0bc30d962b7bc3152d3b3281bc812ae051ff8fe7a4b1daafe832aa4000f2ae75251d7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpanln.bat

Filesize
170B

MD5
621ba97133bca614661cd6815fc7612d

SHA1
b98fabda897f5b8d05f2f44ebe9bae3e940aa0f0

SHA256
db740611380e14f32dee5d4258da702d840e7a4aefd397e7ef618e36beb0d163

SHA512
a59de75bcc66c5b80025ed531f1b4391de6d5a01172d802a62bfa7db8e7963c550ba9de336985248cebfd8dec5c442585535b553ddf5400ddff4d7b9adc7c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsspsr.exe

Filesize
144KB

MD5
dfa93f42398d7781e8610c78974dddcf

SHA1
35eb1e7ebe1a27c30f4fbcb4aacea786d114aa9b

SHA256
95aef7692c1e7de521aa4d0387cd64be682531a08d7f0aa7d957c051ba1f9d03

SHA512
298aba4321fc476747cb04451ece5b8b35666db1dc295334e9f6d3683b93d1b0ac029c066c7805b755730122ec2544706003ce0e9df36c9f5d4430905b2f9b6d

Download Submit