89c9b4e30d6be8d85fa4ba73a76934d7daec6280dc4997774d3f7ada4b065df8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Size

19KB
MD5

278fba1cd94e1a1811a8512284804026
SHA1

46a4479332db9c0bfd19271efcfc022365d8fea3
SHA256

89c9b4e30d6be8d85fa4ba73a76934d7daec6280dc4997774d3f7ada4b065df8
SHA512

04700519bb11b1a91b87c07d86a1d42a4e4ce1f2b1cbb7365521bfc905b21ab7773340c2bd52907a4c0278b023a54c5ba0cc2aab534b91a42220023f4cb306e7
SSDEEP

384:rLgVXkDsz3ffGx6HG9qkQtlxZXCfIJC5vlKcq3i/cAY:rLgRk2PfGqG4kQnXCMCPGyUAY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\œ„Ðøn.dll	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tf0	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\œ„Ðøn.dll.LoG	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\ = "MICROSOFT"	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\InProcServer32\ = "C:\\Windows\\SysWow64\\œ„Ð\u0090øn.dll"	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\InProcServer32	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\InProcServer32\ThreadingModel = "Apartment"	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Token: SeRestorePrivilege	1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Token: SeBackupPrivilege	1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
Token: SeRestorePrivilege	1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
1900	278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\278fba1cd94e1a1811a8512284804026_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\œ„Ðøn.dll

Filesize
224KB

MD5
9e4fd8327e39532ddc4d3a9502819ef5

SHA1
a7da314e2b79572ee66ba9521487b1f1b5cb2272

SHA256
c28fb3293a67f775ea7ad93d99f8b4d488c2b1a5ec13e1cc01da673dbbad2dfe

SHA512
b9adb2e04b26d48da03652491efcea4131c68f0163aaebd98440ccc5ac6461b39f8833c54744a1045552932ead6f8a7df4044a70c3d0a52d833c011fcc69e7e6

Download Submit
memory/1900-4-0x0000000002170000-0x000000000217D000-memory.dmp

Filesize
52KB

Download
memory/1900-8-0x0000000002170000-0x000000000217D000-memory.dmp

Filesize
52KB

Download