d2222167a4feca9d5c07f981d82f8af18edb26c38abf6c17ae4f37cf769dacc4

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe
Size

1.1MB
MD5

37679d8cdbdb8a18d4ecf9cf5c21f673
SHA1

eb46e6a6c4779c402be327e8bbd684cf945d9542
SHA256

d2222167a4feca9d5c07f981d82f8af18edb26c38abf6c17ae4f37cf769dacc4
SHA512

c98123237c12eff8f61a23940b49c59b7a07318237f60254c91d1155e6f3b4d1692e2161b3e0e7555bdad5a65225b52c062a29574c5929cc5c82103e6460707f
SSDEEP

24576:agAUadtlC7qogDYWbYp4L8hZ12JPk4djP7mAHrcrCFgx:agAzdt47BphCfrUCFgx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4820	~

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
3968	MSIEXEC.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3476 set thread context of 4820	3476	37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe	84

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3968	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3968	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3968	MSIEXEC.EXE
3968	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4820	3476	37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe	84
PID 3476 wrote to memory of 4820	3476	37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe	84
PID 3476 wrote to memory of 4820	3476	37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe	84
PID 3476 wrote to memory of 4820	3476	37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe	84
PID 3476 wrote to memory of 4820	3476	37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe	84
PID 4820 wrote to memory of 3968	4820	~	87
PID 4820 wrote to memory of 3968	4820	~	87
PID 4820 wrote to memory of 3968	4820	~	87

C:\Users\Admin\AppData\Local\Temp\37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37679d8cdbdb8a18d4ecf9cf5c21f673_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\~
  C:\Users\Admin\AppData\Local\Temp\~
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/jackpotcapital/Jackpot Capital20110124081049.msi" DDC_DID=609502 DDC_RTGURL=http://www.dlsetup.com/dl/TrackSetup/TrackSetup.aspx?DID=609502 SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{0FF86A93-21BB-42D2-A3F2-263F41E35BC2}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0FF86A93-21BB-42D2-A3F2-263F41E35BC2}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~

Filesize
904KB

MD5
5f705ef533a3271ad14c3755cd5da0fb

SHA1
260ca4db939017cb44993fdf9da705c092ff4d8b

SHA256
803297b6508e7fd48479c56199ae3cb6823c4c90fcc88cadfab460cf79749387

SHA512
708d9d7e8e5bc9db5deec75d41aec400ff399f75bb9bc9e240ef53b8221fd2b8601f4f12556f0f131a9a5ac0c61ed2950f12bb9d58d94eeadeb055a87ae1320e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~73BB.tmp

Filesize
5KB

MD5
23e40a3344b5548ef4000483eca05da7

SHA1
d5e475813146ee9b94c8a1a433715ca28f241ad0

SHA256
9fcefe4afec4e13a8cc06c121c9fb97fb9a0d03c719cdda956fa6397acd4ad22

SHA512
105c535335827debc30bb1db92f3a5ffd7361d28dfe432ba435f14983a596e252aa3536ad4e6963df321fa655d485754c28767944b1b604452bf247caad50c23

Download Submit
memory/4820-49-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download