d36221e4f9997726260044c1a6a0c6eb6718f2c96f2405f7c21656d9945fe261

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
Size

118KB
MD5

2851cffd525ca6ee8dff2d0ee0d363b6
SHA1

ca2c27b5091d9b0eec051c23bb4e2e6952e929e7
SHA256

d36221e4f9997726260044c1a6a0c6eb6718f2c96f2405f7c21656d9945fe261
SHA512

6767fca23ec61ac451e95c282c5c07fb7926e5fc20ce17c1ea99b5d163cf929bf12196e15b6105d94aee498a4c213abd89551da3068339d051f0ff918322287a
SSDEEP

3072:fz6yACmWSziKWVnAZ9xr3H3XJQ09dnQsCVpK:fz60nKWVATxrXFdnQQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\29124D4AA81F.dll	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\29124D4AA81F.dll	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\ = "ursfd"	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ = "C:\\Windows\\Debug\\29124D4AA81F.dll"	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4876	3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe	82
PID 3684 wrote to memory of 4876	3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe	82
PID 3684 wrote to memory of 4876	3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe	82
PID 3684 wrote to memory of 3696	3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe	87
PID 3684 wrote to memory of 3696	3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe	87
PID 3684 wrote to memory of 3696	3684	2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2851cffd525ca6ee8dff2d0ee0d363b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:3696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
47B

MD5
2035beb4e7303289bff714568c134ccd

SHA1
dfdb1eff83d408fd80652c8213b0b15a04d778fd

SHA256
1e99696c2e8dfe8e906e2b27bf93854b930441cbdfe082e1a84f73699251b7ba

SHA512
fe3a2a0cb63bc1ec4e3f29df3405bf56d4c5a154311b242cb1ac315ec1dc5062993e5b2fe47be3c83a016c7bccb43559f1db682362af7fba14197af25990edf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
89B

MD5
6c7360ab231654ded7a2ce0ff5c3558d

SHA1
26edf7d62de5e300c8e441c2415bfe2d8d813f13

SHA256
7e9a40152c968ba441e1a990cedcd6fec7faacd87be7849f91a090dfd208baeb

SHA512
efa0158b295bb9d62eac6f03ba51b728a13fdeba1c9e4dd7e1dee01fcb1bac44f6c9fd7533d7e23857485914f1df5835a21c91b686976a348c878d93c3c4ad9d

Download Submit
C:\Windows\debug\29124D4AA81F.dll

Filesize
103KB

MD5
31363e4f160e76851e9b568b9a84007e

SHA1
8bbd81141fb28997bb60b6c9fd3c0caf34774c32

SHA256
a7f2c90cc7aa3f8d6e22d8933456ae2c53f38a7f42fef03798874d512a232f7e

SHA512
43bfcf75e06dd2e269c0e0b22b247333799520e212be1a8246cfcbe18e604ab8df3bb5e833a4ded1af0c4c5c06da0108cb9cf9cef59d13eb6ac941721aba952a

Download Submit
memory/3684-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3684-1-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/3684-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3684-6-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3684-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3684-17-0x00000000006B0000-0x00000000006F8000-memory.dmp

Filesize
288KB

Download
memory/3684-18-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/3684-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3684-22-0x00000000006B0000-0x00000000006F8000-memory.dmp

Filesize
288KB

Download