640831973f16a461c8f12bf980c8261440d7b9f9aeb66aeb2908e701c70ad98a

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 05:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
Size

281KB
MD5

37df775bd2ca35ef4c8e252181812438
SHA1

7e96db2fae18fc4c592dc3ebae7ef065a45bd96f
SHA256

640831973f16a461c8f12bf980c8261440d7b9f9aeb66aeb2908e701c70ad98a
SHA512

fb24e5676dfa4c2e501ff390989f7ffd3d9f29e445052879be95f58fee13394ebb39773683b3165b05fe5f6960e3392b4f2dfee8fb02726899a702d22352a638
SSDEEP

6144:QvUTQlCjQA6XTqbU94/awxvTVTfyuw5H+Mb3P1pHQGXQDMHp:+HC0tjqkQawtRTfweK3d4DMJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3192	systim32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\systim32	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
File created	C:\Windows\systim32	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	systim32
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	systim32
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	systim32
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	systim32
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	systim32

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
Token: SeDebugPrivilege	3192	systim32

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3192	systim32

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2276	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe	87
PID 4724 wrote to memory of 2276	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe	87
PID 4724 wrote to memory of 2276	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe	87
PID 3192 wrote to memory of 1232	3192	systim32	86
PID 3192 wrote to memory of 1232	3192	systim32	86

C:\Users\Admin\AppData\Local\Temp\37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2276

C:\Windows\systim32
C:\Windows\systim32
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files\Internet Explorer\IexplOrE.ExE
  "C:\Program Files\Internet Explorer\IexplOrE.ExE"
  2⤵
  PID:1232

Network

DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

6767600.cn

systim32

Remote address:

8.8.8.8:53

Request

6767600.cn

IN A

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

6767600.cn

systim32

Remote address:

8.8.8.8:53

Request

6767600.cn

IN A

Response
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

6767600.cn

systim32

Remote address:

8.8.8.8:53

Request

6767600.cn

IN A

Response
DNS

6767600.cn

systim32

Remote address:

8.8.8.8:53

Request

6767600.cn

IN A

Response

No results found

8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

6767600.cn

dns

systim32

56 B
109 B
1
1

DNS Request

6767600.cn
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

6767600.cn

dns

systim32

56 B
109 B
1
1

DNS Request

6767600.cn
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

6767600.cn

dns

systim32

56 B
109 B
1
1

DNS Request

6767600.cn
8.8.8.8:53

6767600.cn

dns

systim32

56 B
109 B
1
1

DNS Request

6767600.cn

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\systim32

Filesize
281KB

MD5
37df775bd2ca35ef4c8e252181812438

SHA1
7e96db2fae18fc4c592dc3ebae7ef065a45bd96f

SHA256
640831973f16a461c8f12bf980c8261440d7b9f9aeb66aeb2908e701c70ad98a

SHA512
fb24e5676dfa4c2e501ff390989f7ffd3d9f29e445052879be95f58fee13394ebb39773683b3165b05fe5f6960e3392b4f2dfee8fb02726899a702d22352a638

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
bcfd6a2d4adb3cf3fce290f8899c9b28

SHA1
6d5e001ac62392330b50f37bdef6886c27f71d07

SHA256
5fa25633a160808ce009c3c2cc5656369d20abb72f75abb1c0d0bf42f7a209da

SHA512
77c2134021b145983c017e81e1453400e3be18ed9a73016a9c8493766677074524d76d7ae1ed92f00b2c014bd0e2107204f9d092e0c855181e77bc048144ad4e

Download Submit
memory/3192-22-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-18-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-16-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-13-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-12-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-4-0x000000000050E000-0x000000000050F000-memory.dmp

Filesize
4KB

Download
memory/4724-9-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-1-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-3-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-5-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-6-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.