d0712875feba97ce0c191346ffbb54f01cd3f0b9892fbcee4d27f339efd779b4

Analysis

max time kernel
125s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe
Size

51KB
MD5

2f43122e02f692ea0ab02f300c3126d5
SHA1

c5c21c6e0b596399e167114be43154e1079979f7
SHA256

d0712875feba97ce0c191346ffbb54f01cd3f0b9892fbcee4d27f339efd779b4
SHA512

cd472280dfd969c78dac7c3fabae01fcfb262ad2c0bdf1ddcab6ebb0db6cb6f155aabdf52f45631a1347691a5ab3c11c627124d88de9e4fad49bfa77242dd72e
SSDEEP

1536:BWP2/yLl3tPhc0Uon280/JSLjuGNEyj2Tbk:BeQm3tPh3Uo2GvusEyyTbk

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4476	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2184	4476	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe	90
PID 4476 wrote to memory of 2184	4476	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe	90
PID 4476 wrote to memory of 2184	4476	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe	90
PID 2184 wrote to memory of 4496	2184	vbc.exe	93
PID 2184 wrote to memory of 4496	2184	vbc.exe	93
PID 2184 wrote to memory of 4496	2184	vbc.exe	93

C:\Users\Admin\AppData\Local\Temp\2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pp3aj9nz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EAC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD37C8DA2CBBA43F58AADB9D9DE8D9796.TMP"
    3⤵
    PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,18261153038209191383,10347744459236715365,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
1⤵
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2EAC.tmp

Filesize
1KB

MD5
f100339d4940117d2241fa8df48f6413

SHA1
c5a236c3882841d16b5c82552f2aa637a2932e51

SHA256
d98db3a32943b0660521cb3971854c122d9b2a4407afbf9ef813d760f5fc77b2

SHA512
82abacb2b1c733c46904409b58c01b71f80c5c4256cdca49ba3f513f5bb4f9d50decddafd0ead53c6eb932772264a75559953947064a0518ebf74c31fa45351e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp3aj9nz.0.vb

Filesize
30KB

MD5
0a9bef7c75e587a058cb7019181f0234

SHA1
206f31a4cbed8c689475c7c042d8353d7394de1e

SHA256
01203b7adcf88f54de4a2fd4cd056369836e9dc0c14116162749cc82553a0f48

SHA512
24024b406c4816a5d1be0a570f5189ec0c129b78b22ba25e6c8c286816d29b6ec0fda5bd13a4f15ea0dafa594c4376be8d813be3d22c7c79c3b5acf71120128c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp3aj9nz.cmdline

Filesize
276B

MD5
42c258d95ab1219625b80c36c04eef73

SHA1
fb99c681f907d338904bd8ba9154edc3f048b012

SHA256
11fbfd73c8323393dffd7f3f04afe216784a758f203acb41e31447a5f5cb8d52

SHA512
fe1641d4f4809b526fb66c2f1abf055d558f925b5fe3db3cb344eecce7a3607877d03a78fd0770b827b90087bec5cd2bda63e27d9cb617e74b72e7e77c984831

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp3aj9nz.dll

Filesize
28KB

MD5
9b628b021b1bb39a22f64cc96a66b595

SHA1
07bcaf852035fdd129f723404dd87162b81b2bc0

SHA256
54b5bfb19f5aa01590b9bd013c015be6a1a92c9ca6f50fb31581d91f10fa7632

SHA512
e1ee2acbd92b74da1d50aab03dfb4c7bfa4624cc3a2220b2266f2c19a997dddd1a0fb752233e20ca4445bcc425d912b63bc304108924f62fe21bfdec5bc9b802

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD37C8DA2CBBA43F58AADB9D9DE8D9796.TMP

Filesize
652B

MD5
d49d5ef61b962049a4e0ded2022aacb9

SHA1
be9a28a99503967e3c59e8aa327177b31189990c

SHA256
9d7864f88e9826aef535282870e19b77f094fd2eed382ab56dfc5f2ae662cf52

SHA512
a3754c94922075cd4cc7e9f7def9e72d28b54f558b955d1ff59e0fb3d5723644b317ef4bc195d37a65d335678b4827b285a9b7d638b92618db9eff207734ef84

Download Submit
memory/2184-7-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2184-16-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4476-0-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download
memory/4476-1-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4476-2-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/4476-19-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download
memory/4476-20-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download