dc0af5e12889c1e9088fb7b939f4e674abafdd1c0a690dc3eff638e764cab9ca

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Size

411KB
MD5

385f90ff96be269a3e742835ace47a94
SHA1

b4e818a749e8a973ed86af43c5ea96d8b2b3ce56
SHA256

dc0af5e12889c1e9088fb7b939f4e674abafdd1c0a690dc3eff638e764cab9ca
SHA512

b7354bb46c9ed450f23b89dbe25ff4081ab9ef14a96b3c2f8d8ff117c3869eec2ca3703cdacb6cb4f85ee699f0885816afd280b6cdb2a954efa31bc522c5fe1c
SSDEEP

6144:e2h3vHpW/KNGX+RtF2idZecnl20lHRxp3gAncduD7yB9VCO6Sco4q8+dE6Cqh:9oW8sF3Z4mxxjDqVTVOCh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinDir = "{bfbc1a78-cddd-1672-876e-324d6c4686e9}"	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTboot.log	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NTboot.exe	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NTboot.exe	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NTboot32.dll	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32\ThreadingModel = "Apartment"	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32\ = "NTboot32.dll"	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 1768	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	86
PID 4188 wrote to memory of 1768	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	86
PID 4188 wrote to memory of 1768	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	86
PID 4188 wrote to memory of 1768	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	86
PID 4188 wrote to memory of 1404	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	87
PID 4188 wrote to memory of 1404	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	87
PID 4188 wrote to memory of 1404	4188	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\385F90~1.EXE > nul
  2⤵
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NTboot.log

Filesize
458B

MD5
f7441e41184cf982aaff0b3eff4124ca

SHA1
6164dda6fd2088f217269e9ac80c3e3a9f335a61

SHA256
4e9588e7ebb0896aa1ef3332d43ed4f35a2e2c0c6a41065d57b13fdd2e7219a6

SHA512
3ece9ab1e92fa99b207a6fd731ab2634c5614db6910b87c1829fad5c970d2726721073e1526fcd3ae71dbe81536db5c13af74f1c9dba40bb97a556735d1b51ce

Download Submit
C:\Windows\SysWOW64\NTboot32.dll

Filesize
132KB

MD5
74b91ecf650a1f6b3454015c32a5c38d

SHA1
980074c212eebb200b1e98494ec704324bd3e964

SHA256
84e631534e6c48feffa39fb250eb0c3781db599e590661a1fc560db9d9002034

SHA512
9975183aa0ea81cde42d3632da91ed61cfd13f1435436f52586ca774844764afa445ee6acbfe2777490f233b72ce09aea7c32882e9d4c9f6488adc652260c30b

Download Submit
memory/4188-39-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-33-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-3-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4188-27-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-31-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-45-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-53-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-52-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-51-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-50-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-49-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-48-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4188-54-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-62-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-72-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-78-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-77-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-2-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/4188-75-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-74-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-1-0x0000000002150000-0x00000000021A4000-memory.dmp

Filesize
336KB

Download
memory/4188-71-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-70-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-69-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-68-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-67-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-63-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-60-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-66-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-46-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-44-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-43-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-42-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-41-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-40-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-47-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-4-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/4188-24-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/4188-36-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-85-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-89-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-88-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-87-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-86-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-35-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-34-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-38-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-32-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-30-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-29-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-28-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-37-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-23-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/4188-22-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/4188-21-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/4188-20-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/4188-19-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/4188-18-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/4188-17-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/4188-16-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/4188-15-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/4188-14-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/4188-13-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/4188-12-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/4188-11-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/4188-10-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4188-9-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4188-8-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4188-7-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4188-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4188-26-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-25-0x00000000032C0000-0x00000000032DB000-memory.dmp

Filesize
108KB

Download
memory/4188-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4188-94-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4188-95-0x0000000002150000-0x00000000021A4000-memory.dmp

Filesize
336KB

Download