f27d941a91c3c809a07aa6d3312a3ff98370ff2286ed9141ae71fab8a0b581c8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
Size

408KB
MD5

34c7259db30d7a03d2e33ba8d7f915c6
SHA1

a54336f8ccc4fa0f74d46a25cd587dde8e40f18a
SHA256

f27d941a91c3c809a07aa6d3312a3ff98370ff2286ed9141ae71fab8a0b581c8
SHA512

a5ae1bc351aafdd24bb1b3e5c21b07128381b076f9bbb864e7106c3379969fbb107d8754e0e950f17eb81a4dc751c20eef7789d962e0c91c3ed0325404110526
SSDEEP

6144:23e9whpxK+1bAo0xGvF2idZecnl20lHRxp3galk9ihl0/srEQpPK+e1FtEuxF+Uh:23Y+1MoZF3Z4mxx1oEtlK+kt9T2M7

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\hhkhqz.dll"	PCÃâ·Ñ°æ.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\hhkhqz.dll"	PCÃâ·Ñ°æ.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\hhkhqz.dll"	PCÃâ·Ñ°æ.exe

Executes dropped EXE 1 IoCs

pid	Process
116	PCÃâ·Ñ°æ.exe

Loads dropped DLL 2 IoCs

pid	Process
116	PCÃâ·Ñ°æ.exe
3632	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0003d656.ini	PCÃâ·Ñ°æ.exe
File created	C:\Windows\SysWOW64\hhkhqz.dll	PCÃâ·Ñ°æ.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 116	2396	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe	84
PID 2396 wrote to memory of 116	2396	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe	84
PID 2396 wrote to memory of 116	2396	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k WINS
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exe

Filesize
59KB

MD5
e02d478a305449ed4280b0b6d2d402dd

SHA1
9d7e580d64271d4a3c3e8ab4ca27f02da2ab8700

SHA256
224d0b1a071c19ce46a50ca11f53b44fa7023621903b7ba71edb3acbf49ed510

SHA512
f786c638b16a7edc3d0894a1961ad2e04e1af59acc0913e9c2df198915e645e07ecc3818b5fbf11aad8321d3fc109b542a21355cbf5225946716313eb120fc69

Download Submit
C:\Windows\SysWOW64\hhkhqz.dll

Filesize
89KB

MD5
c840cce845c01454c7d271a8b753f450

SHA1
78160ede1831f36abdd5d4a6ca81b94ff0e3a211

SHA256
c18e544b663dddc8c0b7394709736ce6b2571f6dba8da9be7549d70c5ebf67e4

SHA512
f1da3c7dd7fdb723f0d4f006308e501e0bf4db9a001f1faf4f7f99b57c0bb4c9d9395d63bfdde1459ffda6bfe48d6c103d2a5f1c5cd01a167bb976515f3d0c7e

Download Submit
memory/2396-23-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-34-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2396-44-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2396-43-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-42-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2396-41-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2396-40-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2396-39-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2396-38-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2396-37-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2396-36-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2396-35-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2396-22-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-33-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2396-32-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2396-31-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2396-30-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2396-29-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2396-27-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2396-26-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2396-25-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2396-24-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-28-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2396-0-0x0000000001000000-0x000000000108A000-memory.dmp

Filesize
552KB

Download
memory/2396-14-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-20-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-19-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-18-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-17-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-16-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-15-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2396-21-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-13-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-12-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-11-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-10-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-9-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2396-8-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2396-7-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2396-6-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2396-3-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2396-2-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2396-4-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2396-5-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x0000000000AC0000-0x0000000000B14000-memory.dmp

Filesize
336KB

Download
memory/2396-59-0x0000000000AC0000-0x0000000000B14000-memory.dmp

Filesize
336KB

Download
memory/2396-58-0x0000000001000000-0x000000000108A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads