a144607ef15f4f982c648c8995a3bd0bbade5e13461ec9e27c9d994dccec6534

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
Size

19KB
MD5

3661c0a8878c7895ea52e64f3f9fa685
SHA1

4c88841d5a619aaa92491bdb73c5b85c20314f82
SHA256

a144607ef15f4f982c648c8995a3bd0bbade5e13461ec9e27c9d994dccec6534
SHA512

9e129f9fe63e038b790d48410b1f96d75232453997c83d9d823dd1b6526ced1cc3ba75bf5630ead3bae330772c46c1dd46757b6586f90ba6a49a1081651725c9
SSDEEP

384:erTWjZkBVsc7FDtWNColOQE97NNjfLidb9SwdDFRCdmofuicL:e/bB3NtWNColOQE9RNjfL6h6Nfi

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

pid process

4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4656-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4656-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bqvvitxl = "C:\\Windows\\qvtluybe.exe"	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\lvvtwmky.dll 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\lvvtwmky.dll	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\qvtluybe.exe	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
File created	C:\Windows\qvtluybe.exe	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

pid	process
4656	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
4656	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
4656	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
4656	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

pid process

4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe

description	pid	process	target process
PID 4656 wrote to memory of 3440	4656	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe	Explorer.EXE
PID 4656 wrote to memory of 3440	4656	3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lvvtwmky.dll

Filesize
40KB

MD5
014ce4f5ab08e6dafcc61fa64de6bdb5

SHA1
011584beaf6155ca285ab992bb21c9da3b9defc6

SHA256
57d25af09feb5644125f0be661c39a74b2252d638f7b5bde053a7c2573e76ce7

SHA512
6a23c48a9d7038107fcec55a14d895e0650ab3d0edbfc37255cc1e6c88cb907d51a21e93ab14ed52135ec6645de2846c93c24d34a6af7441a98421a5c7507ef2

Download Submit
memory/3440-3-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/4656-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4656-8-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4656-6-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4656-11-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4656-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download