13bbc671966e78d95bc28f99aadd1bf9d9c563ce5630b3523d5b22fa12c032a1

Analysis

max time kernel
95s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3577f4702582432300f89e998ea60a82_JaffaCakes118.exe
Size

20KB
MD5

3577f4702582432300f89e998ea60a82
SHA1

eca085692f561bc655fd7b8b0a4f0fcac6f27bfa
SHA256

13bbc671966e78d95bc28f99aadd1bf9d9c563ce5630b3523d5b22fa12c032a1
SHA512

1e91595f66fdcf0846858b526b0ff1e4ebc418a95dcfc1d5bbf90e08670b7a45e019e72dd43975275b81a7ea40cf10af6b51299f4c9278c127e76e308912cc2e
SSDEEP

384:bO2OEHdn0QfuLNExpYROROJWHLyRFqKv8sNPeKl3C1J9:RHlhQExpoOYSLy1vZ53C1D

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4460	mcsijyoe.exe

Executes dropped EXE 1 IoCs

pid	Process
4460	mcsijyoe.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCV = "C:\\Users\\Admin\\mcsijyoe.exe"	mcsijyoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MSCV = "C:\\Users\\Admin\\mcsijyoe.exe"	mcsijyoe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSCV = "C:\\Users\\Admin\\mcsijyoe.exe"	mcsijyoe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	mcsijyoe.exe
4460	mcsijyoe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4672	3577f4702582432300f89e998ea60a82_JaffaCakes118.exe
Token: SeTcbPrivilege	4672	3577f4702582432300f89e998ea60a82_JaffaCakes118.exe
Token: SeDebugPrivilege	4460	mcsijyoe.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4460	4672	3577f4702582432300f89e998ea60a82_JaffaCakes118.exe	84
PID 4672 wrote to memory of 4460	4672	3577f4702582432300f89e998ea60a82_JaffaCakes118.exe	84
PID 4672 wrote to memory of 4460	4672	3577f4702582432300f89e998ea60a82_JaffaCakes118.exe	84
PID 4460 wrote to memory of 3460	4460	mcsijyoe.exe	56
PID 4460 wrote to memory of 3460	4460	mcsijyoe.exe	56
PID 4460 wrote to memory of 3460	4460	mcsijyoe.exe	56
PID 4460 wrote to memory of 3460	4460	mcsijyoe.exe	56
PID 4460 wrote to memory of 3460	4460	mcsijyoe.exe	56
PID 4460 wrote to memory of 3460	4460	mcsijyoe.exe	56
PID 4460 wrote to memory of 3460	4460	mcsijyoe.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\3577f4702582432300f89e998ea60a82_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3577f4702582432300f89e998ea60a82_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\mcsijyoe.exe
    "C:\Users\Admin\mcsijyoe.exe" 528 "C:\Users\Admin\AppData\Local\Temp\3577f4702582432300f89e998ea60a82_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mcsijyoe.exe

Filesize
20KB

MD5
3577f4702582432300f89e998ea60a82

SHA1
eca085692f561bc655fd7b8b0a4f0fcac6f27bfa

SHA256
13bbc671966e78d95bc28f99aadd1bf9d9c563ce5630b3523d5b22fa12c032a1

SHA512
1e91595f66fdcf0846858b526b0ff1e4ebc418a95dcfc1d5bbf90e08670b7a45e019e72dd43975275b81a7ea40cf10af6b51299f4c9278c127e76e308912cc2e

Download Submit