5bb64b7a6c64183fb40d05d03bf59de1fa3dd59683b95c67e935bbe84dc60c8f

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe
Size

241KB
MD5

395a302982f864797b3b5f645b7c9217
SHA1

134a0b7847bd76bf4efef1db5f4d81979232ca56
SHA256

5bb64b7a6c64183fb40d05d03bf59de1fa3dd59683b95c67e935bbe84dc60c8f
SHA512

69fb0d567b8b492a8465916affdc5545f64618903cd23ccace8af7594d23c78079a01ae2d41f1469272acc475eeced580cfb6736e969d1ee0bc1d73241413a4c
SSDEEP

3072:jVQSWGAR5ndKwc5gbwiOW5evfFiC1WVhGx8f/AiyYvnSN3OmZLEojh9DD5x:PZARhwpWk3FCVnHAiyYvDmBFjP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4552	niat.exe
2700	niat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozsosouwy = "C:\\Users\\Admin\\AppData\\Roaming\\Uwaz\\niat.exe"	niat.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3656 set thread context of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 4552 set thread context of 2700	4552	niat.exe	88

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe
2700	niat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe
Token: SeSecurityPrivilege	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe
4552	niat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 3656 wrote to memory of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 3656 wrote to memory of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 3656 wrote to memory of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 3656 wrote to memory of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 3656 wrote to memory of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 3656 wrote to memory of 3628	3656	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	86
PID 3628 wrote to memory of 4552	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	87
PID 3628 wrote to memory of 4552	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	87
PID 3628 wrote to memory of 4552	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	87
PID 4552 wrote to memory of 2700	4552	niat.exe	88
PID 4552 wrote to memory of 2700	4552	niat.exe	88
PID 4552 wrote to memory of 2700	4552	niat.exe	88
PID 4552 wrote to memory of 2700	4552	niat.exe	88
PID 4552 wrote to memory of 2700	4552	niat.exe	88
PID 4552 wrote to memory of 2700	4552	niat.exe	88
PID 4552 wrote to memory of 2700	4552	niat.exe	88
PID 2700 wrote to memory of 2724	2700	niat.exe	46
PID 2700 wrote to memory of 2724	2700	niat.exe	46
PID 2700 wrote to memory of 2724	2700	niat.exe	46
PID 2700 wrote to memory of 2724	2700	niat.exe	46
PID 2700 wrote to memory of 2724	2700	niat.exe	46
PID 3628 wrote to memory of 4968	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	89
PID 3628 wrote to memory of 4968	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	89
PID 3628 wrote to memory of 4968	3628	395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe	89
PID 2700 wrote to memory of 2804	2700	niat.exe	50
PID 2700 wrote to memory of 2804	2700	niat.exe	50
PID 2700 wrote to memory of 2804	2700	niat.exe	50
PID 2700 wrote to memory of 2804	2700	niat.exe	50
PID 2700 wrote to memory of 2804	2700	niat.exe	50
PID 2700 wrote to memory of 2912	2700	niat.exe	53
PID 2700 wrote to memory of 2912	2700	niat.exe	53
PID 2700 wrote to memory of 2912	2700	niat.exe	53
PID 2700 wrote to memory of 2912	2700	niat.exe	53
PID 2700 wrote to memory of 2912	2700	niat.exe	53
PID 2700 wrote to memory of 3408	2700	niat.exe	56
PID 2700 wrote to memory of 3408	2700	niat.exe	56
PID 2700 wrote to memory of 3408	2700	niat.exe	56
PID 2700 wrote to memory of 3408	2700	niat.exe	56
PID 2700 wrote to memory of 3408	2700	niat.exe	56
PID 2700 wrote to memory of 3552	2700	niat.exe	57
PID 2700 wrote to memory of 3552	2700	niat.exe	57
PID 2700 wrote to memory of 3552	2700	niat.exe	57
PID 2700 wrote to memory of 3552	2700	niat.exe	57
PID 2700 wrote to memory of 3552	2700	niat.exe	57
PID 2700 wrote to memory of 3744	2700	niat.exe	58
PID 2700 wrote to memory of 3744	2700	niat.exe	58
PID 2700 wrote to memory of 3744	2700	niat.exe	58
PID 2700 wrote to memory of 3744	2700	niat.exe	58
PID 2700 wrote to memory of 3744	2700	niat.exe	58
PID 2700 wrote to memory of 3840	2700	niat.exe	59
PID 2700 wrote to memory of 3840	2700	niat.exe	59
PID 2700 wrote to memory of 3840	2700	niat.exe	59
PID 2700 wrote to memory of 3840	2700	niat.exe	59
PID 2700 wrote to memory of 3840	2700	niat.exe	59
PID 2700 wrote to memory of 3904	2700	niat.exe	60
PID 2700 wrote to memory of 3904	2700	niat.exe	60
PID 2700 wrote to memory of 3904	2700	niat.exe	60
PID 2700 wrote to memory of 3904	2700	niat.exe	60
PID 2700 wrote to memory of 3904	2700	niat.exe	60
PID 2700 wrote to memory of 3988	2700	niat.exe	61
PID 2700 wrote to memory of 3988	2700	niat.exe	61
PID 2700 wrote to memory of 3988	2700	niat.exe	61
PID 2700 wrote to memory of 3988	2700	niat.exe	61

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2804

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2912

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Users\Admin\AppData\Roaming\Uwaz\niat.exe
      "C:\Users\Admin\AppData\Roaming\Uwaz\niat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Users\Admin\AppData\Roaming\Uwaz\niat.exe
        
        "C:\Users\Admin\AppData\Roaming\Uwaz\niat.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpea59b06f.bat"
      4⤵
      PID:4968
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3588

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4652

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3376

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpea59b06f.bat

Filesize
271B

MD5
41d78112c7a1e15cff6b27e8d12778bd

SHA1
3c61a353c2726fa618fb9b3cd3343ec5823f27a9

SHA256
94ed47287e784d4359135c027df42bfd5d5380e1a0424ee2e5aab168eb340c49

SHA512
5e604b81d6cb95b9c393a737754b66a58543944a9470552e63d73bbed3bd16722e3c601ab8a8ac8ab81b054df633ea9581026e2e94ec0a673d3b622c6d0d1369

Download Submit
C:\Users\Admin\AppData\Roaming\Uwaz\niat.exe

Filesize
241KB

MD5
eb8783d5f72063c2ef53e4f9d928e066

SHA1
3fd0446d3a44349b51323d6b6fb3fff203afc445

SHA256
c39e53043918b5df4156cd0f43d41eae8b49a67331770db2a07813051d7bd4d4

SHA512
f04ece0b238247d659415c6d7df6908bebd022b8d5893cffeb33fae69c8526268f5d116e557947c563924fb99c6ddb41c954f1ead4c59ce2a50f8fae7b11853c

Download Submit
memory/2700-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-34-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-45-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-33-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-38-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-35-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-52-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-36-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-37-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-4-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-6-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-5-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-2-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4968-28-0x0000000001530000-0x000000000156B000-memory.dmp

Filesize
236KB

Download
memory/4968-25-0x0000000001530000-0x000000000156B000-memory.dmp

Filesize
236KB

Download