8be5ff144f115a6cf93921007e6c283aca0a162dd4b99aa7c0af9b033a505db5

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24725e265205df0edd976d8f0d4b59b8_JaffaCakes118.exe
Size

411KB
MD5

24725e265205df0edd976d8f0d4b59b8
SHA1

3717e332617c8b2936925e73abd3c5f8a4d8fa06
SHA256

8be5ff144f115a6cf93921007e6c283aca0a162dd4b99aa7c0af9b033a505db5
SHA512

7f9e1c48d6e711b16626c3990dee108ae43db4a224bec45b224630d999c7182ddd4ce1f4f87c3945af14f4a4c50447b3bc9301323f1873385da5026819a6664f
SSDEEP

6144:lNs8JHClXLF4ealiAfFV1H4a0MgGH2FuHqr7j96RXIrI8iCdfGqxlqYziYv/dxfD:lq8JilXhAt7Y7Mgi2IHq56RLxeiYrf5

Score

7^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4908	OK.exe
1492	Windowscom.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4788-0-0x0000000001000000-0x00000000010C9000-memory.dmp	vmprotect
behavioral2/memory/4788-1-0x0000000001000000-0x00000000010C9000-memory.dmp	vmprotect
behavioral2/memory/4788-17-0x0000000001000000-0x00000000010C9000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24725e265205df0edd976d8f0d4b59b8_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	OK.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	OK.exe
Token: SeDebugPrivilege	1492	Windowscom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1492	Windowscom.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4908	4788	24725e265205df0edd976d8f0d4b59b8_JaffaCakes118.exe	80
PID 4788 wrote to memory of 4908	4788	24725e265205df0edd976d8f0d4b59b8_JaffaCakes118.exe	80
PID 4788 wrote to memory of 4908	4788	24725e265205df0edd976d8f0d4b59b8_JaffaCakes118.exe	80
PID 1492 wrote to memory of 4520	1492	Windowscom.exe	83
PID 1492 wrote to memory of 4520	1492	Windowscom.exe	83
PID 4908 wrote to memory of 4460	4908	OK.exe	84
PID 4908 wrote to memory of 4460	4908	OK.exe	84
PID 4908 wrote to memory of 4460	4908	OK.exe	84

C:\Users\Admin\AppData\Local\Temp\24725e265205df0edd976d8f0d4b59b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24725e265205df0edd976d8f0d4b59b8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OK.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OK.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:4460

C:\Windowscom.exe
C:\Windowscom.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OK.exe

Filesize
743KB

MD5
dfb7556e6da65ec97d998588bc811f93

SHA1
00c22c1b2eb2141e1934ab175ff497692fa022d8

SHA256
fdc8f287dc2c0770386f9ee9e80563a5a76b07f36378339fd3bb97688f56be40

SHA512
944201c81199f1fea8b74eccc424fb8ecd7f1ccf7f59ef5585dd1f4102ddd398cc8173cfe4b02cc8e58367bd16b9c66ca367b80f370d3a39dee765b52b0f65e8

Download Submit
C:\Windows\uninstal.bat

Filesize
152B

MD5
f85514e0c05be58dffafd22cb0c4d972

SHA1
1ca6c6b658959414edad632441e3ca6cec903aa8

SHA256
5a04b088b260429c6ff700c250158d2da89f4f902566b43cb438769dfeaf929f

SHA512
8d3f8b41b93dacd6e78297dff1ae5d5e7104156dcfa4a5156a81569b70d6ca05e78750819cadfe1b7176cb2206ecf106e64a9d4f2cf7b2e0ccedc84110ae6e82

Download Submit
memory/1492-13-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1492-19-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1492-21-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4788-0-0x0000000001000000-0x00000000010C9000-memory.dmp

Filesize
804KB

Download
memory/4788-2-0x0000000001068000-0x0000000001069000-memory.dmp

Filesize
4KB

Download
memory/4788-1-0x0000000001000000-0x00000000010C9000-memory.dmp

Filesize
804KB

Download
memory/4788-17-0x0000000001000000-0x00000000010C9000-memory.dmp

Filesize
804KB

Download
memory/4908-10-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4908-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads