97785da4a12dc561c4881b43af3858d4c0665426e7752d45f079f827dd305e69

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe
Size

32KB
MD5

2b437fa0582177d74b39a984309c3494
SHA1

8610b6bc3fe2cb4c89d28eb8c0fbd93e8abb29f9
SHA256

97785da4a12dc561c4881b43af3858d4c0665426e7752d45f079f827dd305e69
SHA512

5de3928550a74acb96f004ac777cdeffc1e51afa9325696afd74d43c3e1621a5a73449ee9b4f1529a556f97a62012e77db8fbffe12f97dd1e126fa3ff616584d
SSDEEP

768:nd7HQ9BrrmZZuNBo7Gh/4ONq2NfDx8deVpH:niRiZZBE/h6wH

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mmmsxuhxu.dll	2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winsms.dll	2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1932	1928	2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe	82
PID 1928 wrote to memory of 1932	1928	2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe	82
PID 1928 wrote to memory of 1932	1928	2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b437fa0582177d74b39a984309c3494_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c preved.bat
  2⤵
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\preved.bat

Filesize
243B

MD5
07f9f4397a6e8a031c517ade8f8b72a4

SHA1
9b6f866521fc3e9d008197dfbf45a61bfc7d22e4

SHA256
0d5cd850bfe97440ae10e51f2caa2a04dab0c0f3489ce99478f24f5e38156080

SHA512
56d79c79e39b8775687249b987ddeefc0f8a98697cd90274c57a9d131d0d27552228326e0c41ba740948bd899505ee2479387e658a1386018e356a387ccaf556

Download Submit
memory/1928-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download