1b369188d8d55691909f8fb3cb8e0ca58a8b6f6bafe78f8fcbbca225aded8db7

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
Size

89KB
MD5

32919b195eaec53c74d9e420c1b0f77f
SHA1

236d3766cac1e63dbc88430fcf3790529a65a39f
SHA256

1b369188d8d55691909f8fb3cb8e0ca58a8b6f6bafe78f8fcbbca225aded8db7
SHA512

e4240a816dcd78e355eb419419543f0c963a86f478004022ca4154cd4fcf9fef2e500c6cc089128921423b5c44adef572ab34d2a77f5ad5e195c413a376f8785
SSDEEP

1536:rzpmfJGJHRAOW7X/VkQFtvrjpqOJ55ltBDFW9Dqf1/a69:npmfJWxO7X/rFtvBqOd/6+l

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zysten.dll	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zysten.dll	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\240621046.dll	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
File created	C:\Windows\240621312.bat	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
File created	C:\Windows\240621453.bat	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
Token: SeDebugPrivilege	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 628	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe	5
PID 4620 wrote to memory of 976	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe	83
PID 4620 wrote to memory of 976	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe	83
PID 4620 wrote to memory of 976	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe	83
PID 4620 wrote to memory of 3100	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe	86
PID 4620 wrote to memory of 3100	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe	86
PID 4620 wrote to memory of 3100	4620	32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe	86

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32919b195eaec53c74d9e420c1b0f77f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\240621312.bat
  2⤵
  PID:976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\240621453.bat
  2⤵
  PID:3100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\240621046.dll

Filesize
126KB

MD5
e4efd2679aba9af20de9c3e7249ce26e

SHA1
09ab6ea0d25b2be55e4f72d3dffe4bdab28670ee

SHA256
031a7c005f93e784d9709c1ff32ac3711fa8c22ac8c484b54b13781b9b9c0743

SHA512
3ff5acb6448b77aca987c384e3ad1be404cddecc7cd81015998ef861d694c3e3f4184d9a9515b8ecc58b3e857b0959385068ade06137442e1513a65cd75a6135

Download Submit
C:\Windows\240621312.bat

Filesize
99B

MD5
10c5983d845b4ece0c1d046fbbe105ab

SHA1
e719d4be71c0a1e328d16b143f3a63d49aa7308d

SHA256
2c0b4a251a2f4e855431b0c5260bf3320aa7d56d0c4bebd294c70e63a9cda6f2

SHA512
ba417a2704f3931ded1637fb56cfbf4430543875f0f0cf6b2028a6ef4669fbba6aab46f9f3ef3e5cae2184f90eee16cccfdc2270a562c7bfecc1e9b5cb69ea07

Download Submit
C:\Windows\240621453.bat

Filesize
219B

MD5
c3f44530560c13c3121f732fd98f8344

SHA1
c6a61e1a70b218e859df8fe72eee096bcfb3d5e6

SHA256
5934873c32e31fd4df76305f23924d167bbd64259336ef57aabef29571e8208c

SHA512
1ae45208cc01affb9d519301bccae9d7743f76bfa6b72f5954525526903d2b1516e2e113f517030fb5f2df36eeb24d9252f9e8e705d71c2460fb173cc08ff1eb

Download Submit
memory/4620-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4620-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-7-0x00000000006B0000-0x00000000006D5000-memory.dmp

Filesize
148KB

Download
memory/4620-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-19-0x00000000006B0000-0x00000000006D5000-memory.dmp

Filesize
148KB

Download