47a615a002e391f8ca362fd9eacfba4549c44551a4da327959881c31688dca72

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35b58c0f26a40bedd65052613f95cb2b_JaffaCakes118.exe
Size

2.0MB
MD5

35b58c0f26a40bedd65052613f95cb2b
SHA1

c2d25373d40bf1424ff836a0ef8635411a78f291
SHA256

47a615a002e391f8ca362fd9eacfba4549c44551a4da327959881c31688dca72
SHA512

96a5a63432f9e264c43329fac494887b45bffa662198eb86962b3535923603edb64c827466990dec4078ccf7a40666d018b33d60a2ea56753d757037c93b4908
SSDEEP

49152:SYcliekU1sC/Za6Fs4UZrq/npUACi+BLFhOB3:SYc8NW46Fg+xAO

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
784	WGXMYVSX.exe

Loads dropped DLL 1 IoCs

pid	Process
784	WGXMYVSX.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234bd-5.dat	upx
behavioral2/memory/784-7-0x0000000000400000-0x00000000007DD000-memory.dmp	upx
behavioral2/memory/784-12-0x0000000000400000-0x00000000007DD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35b58c0f26a40bedd65052613f95cb2b_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BASSMOD.dll	WGXMYVSX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2408	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 784	4524	35b58c0f26a40bedd65052613f95cb2b_JaffaCakes118.exe	84
PID 4524 wrote to memory of 784	4524	35b58c0f26a40bedd65052613f95cb2b_JaffaCakes118.exe	84
PID 4524 wrote to memory of 784	4524	35b58c0f26a40bedd65052613f95cb2b_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\35b58c0f26a40bedd65052613f95cb2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35b58c0f26a40bedd65052613f95cb2b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WGXMYVSX.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WGXMYVSX.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WGXMYVSX.exe

Filesize
2.1MB

MD5
497574db6481d872d15040b7749d4584

SHA1
d4d8a8daa72b3f3a1bf5ff3bf3d045767e57a41a

SHA256
41e3cf4b93c500420e0ff0f5fb730f75759335cce61c2b2b9d89cab11c5860e1

SHA512
d243f6788b79fa2d2c6f31b9792d4289cf2d9abfe9bea71a448d06ada7a6028e66c7cf610d6bd6912724ae6cee08e2bb87e04a5398ec15f7a40b42f3de145359

Download Submit
C:\Windows\SysWOW64\BASSMOD.dll

Filesize
10KB

MD5
7bac2c6f66524cfc55ae91ddf3ece2dd

SHA1
afd526ca6629c5a6c851d66a2983099a3007935e

SHA256
b10a2f9f733227ec0edb6ed37cb3c8b592b0ae4e4bcedfb650bfc7622ac6aa71

SHA512
4f81516e273d02404e41fd54cac8b5fbe87465dc5554f5665e1b9a4107ba9a9ba34a9222a0061836a558d6db198c0774f98b022992c41750ec2a947dd3bce2bb

Download Submit
memory/784-7-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/784-12-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads