952f93c8f38cf899c6a5d3fedc33c62b9a709849f64bbd463d993837df4b280c

Analysis

max time kernel
142s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Size

179KB
MD5

35c17da2a6b1ca0fde461589a80301f9
SHA1

2935855a10ca5248bccd685e7b6ba259040ef518
SHA256

952f93c8f38cf899c6a5d3fedc33c62b9a709849f64bbd463d993837df4b280c
SHA512

da0d8564d19be9286c2d34fef15f961bef36b2e0a320889e8bd2b10c6353dfc165dc1da34adf94022799ca2a7b4313cb9ce96e1cd30a9ccf46cfd7f901835b46
SSDEEP

3072:IhaohCRlHf+f0W3smpqk2gmc5hskjo2EtAMImsp/GPWLim0t619/uL/LZ24nLkti:uCRtk06pSc7dEtAsspKvLt6MLZtnLkti

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP\F3C74E3FA248.dll	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
File opened for modification	C:\Windows\HELP\F3C74E3FA248.dll	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\HELP\\F3C74E3FA248.dll"	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3292	4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	82
PID 4576 wrote to memory of 3292	4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	82
PID 4576 wrote to memory of 3292	4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	82
PID 4576 wrote to memory of 4904	4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	90
PID 4576 wrote to memory of 4904	4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	90
PID 4576 wrote to memory of 4904	4576	35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35c17da2a6b1ca0fde461589a80301f9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:3292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
084391877619ba70f8c0c32a284e2860

SHA1
7d3c1227a9fd8acb763049142443152a4f9748bb

SHA256
11aded5764c570597c697f3f655f9a80420268cbf01876b8a937a54b4f640aa4

SHA512
712bc4715602fa460905ad16b02ca3af20db3a5f7132356d6753f947bddd607305350ccf26c7899f2e158a8d5963805eff1a9574d0ca58336605977d43c8a2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
82a8fc9c7b652e697beb7dd61916009e

SHA1
529751a8c94dbfad2b71afa457324b2fd242eec8

SHA256
d009b79fae689bda25819f9ef580b096ea3efe089cc9814f7e71ec0876d4a7cb

SHA512
2c2b8f1918de5bb9161e3c1cead88844fcdd4753f04802d355674f8860f52d8078a33baf38665faa50401a0118b4c9cdbd44d0657ed82c6ad64d2c44261d2552

Download Submit
C:\Windows\Help\F3C74E3FA248.dll

Filesize
125KB

MD5
81ce4bfd4ccb11a4c765b2b1c7ebc059

SHA1
fb883ad15c7eba73850c1b36a2bb54ec567902e4

SHA256
61dbb1f94efbf3b8f25cbf5f3b5c6f0aafd6ee9f3a217950708c9ac951abafbe

SHA512
1fa775d0c6b5742a3f3cdf4c6690bf4e3afa43ee020660b291592b1df98f3ca9c1b9188f5790c278ab0be8bbce2b31337afaf3336422151fc1bf5d8469c7602a

Download Submit
memory/4576-0-0x0000000000400000-0x000000000045E3B0-memory.dmp

Filesize
376KB

Download
memory/4576-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4576-5-0x0000000000400000-0x000000000045E3B0-memory.dmp

Filesize
376KB

Download
memory/4576-15-0x00000000005D0000-0x000000000061C000-memory.dmp

Filesize
304KB

Download
memory/4576-17-0x0000000000400000-0x000000000045E3B0-memory.dmp

Filesize
376KB

Download
memory/4576-16-0x00000000005D0000-0x000000000061C000-memory.dmp

Filesize
304KB

Download
memory/4576-19-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4576-20-0x0000000000400000-0x000000000045E3B0-memory.dmp

Filesize
376KB

Download
memory/4576-22-0x00000000005D0000-0x000000000061C000-memory.dmp

Filesize
304KB

Download