75f0f21737fed722cba5c80dacdb50614a3e5240efae04108af4e9cc7ae0c707

Analysis

max time kernel
124s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Size

157KB
MD5

2b7083e65c670f754f718600eb292cfb
SHA1

2c958a67f029d6dc730ad0e94290a5a635225300
SHA256

75f0f21737fed722cba5c80dacdb50614a3e5240efae04108af4e9cc7ae0c707
SHA512

f7ab0e909e7763d65d71153e289a2fd52a5b708f6756423bb9f74069d7f99841d99f98553fe3e4f327f5590d7c1a6c26815fb068b4e02857b110b4d5b815b250
SSDEEP

3072:Vp9pZqP95Oh1DDyjRvxwKU9LfnnOgW4jKIWO977dW18DjVjR:DZE5+13ylv+nDn8O9HdqqJj

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
3448	Explorer.EXE

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{362f507e-18f2-8ca3-a98c-62cbab34585d}\\n."	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\clsid	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Token: SeDebugPrivilege	2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Token: SeDebugPrivilege	2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3448	Explorer.EXE
3448	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3448	2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe	56
PID 2812 wrote to memory of 3448	2812	2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3448
- C:\Users\Admin\AppData\Local\Temp\2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{362f507e-18f2-8ca3-a98c-62cbab34585d}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
memory/2812-2-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2812-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2812-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2812-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3448-3-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/3448-10-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/3448-11-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download