221ecd2487198c29b649fe52d9b4750726ca313618fb54fb54d47a34b4ee3564

Analysis

max time kernel
141s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
Size

432KB
MD5

27a6f94d0f00f7f590b4598d81aae3a4
SHA1

6cbc9ecfa4632a5fddff7fa2d9fd6e07f894954b
SHA256

221ecd2487198c29b649fe52d9b4750726ca313618fb54fb54d47a34b4ee3564
SHA512

a88b3f44c7fe1147d68815580252b092ca9d9f45ad69f0122217cafdb631552097f1c80490fb3583b22c28e5bc8ec4138fa05693c09b81593a90bffc56eba2ae
SSDEEP

1536:Suy1OHiO3R1NyCRSzBw2NqVnGLo9TLfFEhC50G9JsP96+T+kmmOON5jU1YYCsMDn:SuyCR2QVGLo9ffFEOsDpjnB9be6

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118"	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\systems.txt	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
File opened for modification	C:\Windows\systems.txt	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\IESettingSync	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
2508	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
2508	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
2508	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83
PID 3592 wrote to memory of 2508	3592	27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\27a6f94d0f00f7f590b4598d81aae3a4_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-2-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2508-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2508-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads