c8314fe861a9939d09bebaf20f069ba64cd25a8a1809402ca36adf20d241f697

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
Size

660KB
MD5

36c24db1ed442d4b41c2b5e18e9d4639
SHA1

5d50d595373988b0344c23aecbf85a8010f3e4d2
SHA256

c8314fe861a9939d09bebaf20f069ba64cd25a8a1809402ca36adf20d241f697
SHA512

884034489e000b37da43bae941774f4902bd619c51a10cebf4bab8e1eeada210afd4d733469f8953491f6a177d0e21ef9a670f5bc1e2285e5eea62740ab28e70
SSDEEP

12288:tn7YS4Qn0ViVi9KHUxzJWuR0zzqhvTfv7Vp1cyeLfJAmjmOvKYTg:tnMRsiQ0T9skr7z1VeLpmktU

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CineRak\CineRakComic\ActivexDel.exe	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
File created	C:\Program Files (x86)\CineRak\CineRakComic\Uninstall.exe	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
File created	C:\Program Files (x86)\CineRak\CineRakComic\CineRakComicUpdater.exe	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
File created	C:\Program Files (x86)\CineRak\CineRakComic\CineRakComic.ico	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.cinerak.com	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4672	2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	87
PID 2992 wrote to memory of 4672	2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	87
PID 2992 wrote to memory of 4672	2992	36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36c24db1ed442d4b41c2b5e18e9d4639_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
189a7361c5bf1ec9dbdfcde604a17068

SHA1
85646f4b6231c77bad25b96eb43421129e7cd432

SHA256
8e010684892ef7d6c86b06c434fc15895b128603cf81ae1971e519bac5f411c3

SHA512
28886cccdb56de8538d33c13ccf54fe63b36c7fc2f846b0ccafbf41e72c27026cc7fd4c2fb4f89e59fcd1441ed98ba17dbbeb085456968e3aa5d7be92df2c573

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss99EF.tmp\DLLWeb.dll

Filesize
28KB

MD5
b382d6c8d5c6a437b2064d79b5dee47b

SHA1
f8f4eae50d59b3b94762b10984c1fdcf4c08ff47

SHA256
bdb051e1d7fd7b062341b8cb2efce180f2fbb83739fd2143262034be0f2396f3

SHA512
e6d604d18b28beb30c09d987472540306abd925048f58a3c99a4013d44b9f29112419ca15c1bb7ee1560300bf179f9e98dd7e6db75e5aeb0e44fba47ac2dcc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss99EF.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss99EF.tmp\processes_second.dll

Filesize
140KB

MD5
f0a1eae66dd2f54fbe26c26db5493a6f

SHA1
46d56b4c6694da1ec4d88b0a5b153dad02b5dca7

SHA256
8fe4dad8f894bcdb9a83a9d302907de404695be4b50e619afd88f09d72583e69

SHA512
e1b3c946e90fc30b6cdf953c8c7e96121b462bf8529099e0587f7f243b9d73eeba52b510dd2598937f188f7a35bc1e3785b7589ec6c249996a5795c10dafd1e7

Download Submit