640831973f16a461c8f12bf980c8261440d7b9f9aeb66aeb2908e701c70ad98a

Analysis

max time kernel
142s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 05:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
Size

281KB
MD5

37df775bd2ca35ef4c8e252181812438
SHA1

7e96db2fae18fc4c592dc3ebae7ef065a45bd96f
SHA256

640831973f16a461c8f12bf980c8261440d7b9f9aeb66aeb2908e701c70ad98a
SHA512

fb24e5676dfa4c2e501ff390989f7ffd3d9f29e445052879be95f58fee13394ebb39773683b3165b05fe5f6960e3392b4f2dfee8fb02726899a702d22352a638
SSDEEP

6144:QvUTQlCjQA6XTqbU94/awxvTVTfyuw5H+Mb3P1pHQGXQDMHp:+HC0tjqkQawtRTfweK3d4DMJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3192	systim32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\systim32	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
File created	C:\Windows\systim32	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	systim32
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	systim32
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	systim32
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	systim32
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	systim32

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
Token: SeDebugPrivilege	3192	systim32

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3192	systim32

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2276	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe	87
PID 4724 wrote to memory of 2276	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe	87
PID 4724 wrote to memory of 2276	4724	37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe	87
PID 3192 wrote to memory of 1232	3192	systim32	86
PID 3192 wrote to memory of 1232	3192	systim32	86

C:\Users\Admin\AppData\Local\Temp\37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37df775bd2ca35ef4c8e252181812438_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:2276

C:\Windows\systim32
C:\Windows\systim32
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files\Internet Explorer\IexplOrE.ExE
  "C:\Program Files\Internet Explorer\IexplOrE.ExE"
  2⤵
  PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\systim32

Filesize
281KB

MD5
37df775bd2ca35ef4c8e252181812438

SHA1
7e96db2fae18fc4c592dc3ebae7ef065a45bd96f

SHA256
640831973f16a461c8f12bf980c8261440d7b9f9aeb66aeb2908e701c70ad98a

SHA512
fb24e5676dfa4c2e501ff390989f7ffd3d9f29e445052879be95f58fee13394ebb39773683b3165b05fe5f6960e3392b4f2dfee8fb02726899a702d22352a638

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
bcfd6a2d4adb3cf3fce290f8899c9b28

SHA1
6d5e001ac62392330b50f37bdef6886c27f71d07

SHA256
5fa25633a160808ce009c3c2cc5656369d20abb72f75abb1c0d0bf42f7a209da

SHA512
77c2134021b145983c017e81e1453400e3be18ed9a73016a9c8493766677074524d76d7ae1ed92f00b2c014bd0e2107204f9d092e0c855181e77bc048144ad4e

Download Submit
memory/3192-22-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-18-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-16-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-13-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3192-12-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-4-0x000000000050E000-0x000000000050F000-memory.dmp

Filesize
4KB

Download
memory/4724-9-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-1-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-3-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-5-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4724-6-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download