3c7e46fa326e3ac93a9ab34c796be04e2ad2f3b16bd50685f4ed06ff6d5d3246

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe
Size

52KB
MD5

34b185b25b12fc6bdf24fdc743c255e8
SHA1

244b82d3ef75d5b0b43b31289d4b1b275ceb194f
SHA256

3c7e46fa326e3ac93a9ab34c796be04e2ad2f3b16bd50685f4ed06ff6d5d3246
SHA512

c3eb357bedd67391ac6a20af833ae9279dcf6032f5504f05a0bc2ee6f6d3e5d041d6ae6225ecefa84bd8dd795402ef74b9fc708c4459343c5db7d7a4544ddbc6
SSDEEP

384:BwqUmiU/QqUm1U1QoQqUm1UjbfoQqUm1U5PoQqUm1Uw4joQqUm1Uc:Bwxk/Qxd1jQxdjbAQxd5QQxdw48Qxdc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3632	msreg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Online Service = "C:\\Windows\\msreg.exe"	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchosts.exe	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchostc.exe	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\msreg.exe	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4940	3632	WerFault.exe	87
4140	3632	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe
3612	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 3632	3612	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe	87
PID 3612 wrote to memory of 3632	3612	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe	87
PID 3612 wrote to memory of 3632	3612	34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34b185b25b12fc6bdf24fdc743c255e8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\msreg.exe
  C:\Windows\msreg.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 220
    3⤵
    - Program crash
    PID:4940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 224
    3⤵
    - Program crash
    PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3632 -ip 3632
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3632 -ip 3632
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msreg.exe

Filesize
4KB

MD5
b1220810708ddb633b95c51e7de4c0c3

SHA1
aea221334cd3967b910aebf91ade3085d0180c2c

SHA256
8d608f6b31810358fa72263a46130cfd6847b0c47a91fa773660eefeadf5b366

SHA512
b8da2c6cdd31116959fb29241cc60c6ee76af104fe74030533a32085926e39c38de33f070b849b45265ea49e94b388671e1a08201d96fd54c7e056ae1920f20f

Download Submit