b90c45b593caa67d5c686b4c0ae43364be4fedcaf801c57cd08b39c8f66bc1ab

Analysis

max time kernel
146s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
Size

1.2MB
MD5

24c639a18297db41949983f59e4054fa
SHA1

999b084361f15698429f7d3c76462e2f45215161
SHA256

b90c45b593caa67d5c686b4c0ae43364be4fedcaf801c57cd08b39c8f66bc1ab
SHA512

4673629b812587745fb62d9a261b6487d7e5322dd57f109a70fc17d12621a8f6fb5c509f1f64b7253259cd9a801c34f5a207f043657f0641b23a76098e3bcc1a
SSDEEP

12288:eg8GBI8sEyF6O5O2xDTMuQQpRhO54snV80LLbmVSpcStKpq9gJvvUotI45Ce7rQo:e4BQEwlFTjgN/bm0Lf9EvUo75CePpTk

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Executes dropped EXE 2 IoCs

pid	Process
1344	Explorer.EXE
844	Process not Found

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2176	24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
2176	24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
1344	Explorer.EXE
1344	Explorer.EXE
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2176	24c639a18297db41949983f59e4054fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1344	2176	24c639a18297db41949983f59e4054fa_JaffaCakes118.exe	21

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	24c639a18297db41949983f59e4054fa_JaffaCakes118.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1344
- C:\Users\Admin\AppData\Local\Temp\24c639a18297db41949983f59e4054fa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\24c639a18297db41949983f59e4054fa_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppCert DLLs

T1546.009

Privilege Escalation

Event Triggered Execution

T1546

AppCert DLLs

T1546.009

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EUIYtkYPIOWCxFj.dll

Filesize
1.1MB

MD5
6ee34bf22dd9df03e960ed8d13872065

SHA1
718f9503ff6da32ce964cdf92024100b709dcb92

SHA256
b93b463b7b358d760e815bf666017a65b22eecac29b563e298fa2dd7a181f8a8

SHA512
ae2df6789c606f4148c541b8688277eb335c5826519379c6383d8b60b2bfd0f558198d9476ab282c68c4fac4196c71ba0cc069d000bd7221c12d0a6769bf85fc

Download Submit
memory/1344-1-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2176-8-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download