d6ff748edaa9a234525893daafa183d9b574920fc34485c716e44ae9d41a8060

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a5c7fc09f848e33f15bea3f220c592f_JaffaCakes118.exe
Size

93KB
MD5

3a5c7fc09f848e33f15bea3f220c592f
SHA1

dd03f7156fd27ebde2f5666c277196df1d04a471
SHA256

d6ff748edaa9a234525893daafa183d9b574920fc34485c716e44ae9d41a8060
SHA512

4e3a78d1fd5fc7ce466940a3391ae722694252952ae70bb53f9c9529b8a40bcb523eae0a786624e3b5957428352257d4e27fa3b719f02e6c0d969a3576f4d7b0
SSDEEP

1536:vQQ2aTmzPfYPpIGmMQ5qwsVHYDP2KaruZUp8gPLV9SNTlsGW:vQQ2aS7u7XQ5qTx+P2KarJpxV9QTlsGW

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CD Open Check = "C:\\Windows\\system32\\Exp.exe"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Exp.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Exp.exe	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\6680\Thumbs.exe	cmd.exe
File created	C:\Windows\Thumbs.db	cmd.exe
File opened for modification	C:\Windows\Thumbs.db	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1584	1532	3a5c7fc09f848e33f15bea3f220c592f_JaffaCakes118.exe	86
PID 1532 wrote to memory of 1584	1532	3a5c7fc09f848e33f15bea3f220c592f_JaffaCakes118.exe	86
PID 1532 wrote to memory of 1584	1532	3a5c7fc09f848e33f15bea3f220c592f_JaffaCakes118.exe	86
PID 1584 wrote to memory of 3136	1584	cmd.exe	87
PID 1584 wrote to memory of 3136	1584	cmd.exe	87
PID 1584 wrote to memory of 3136	1584	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\3a5c7fc09f848e33f15bea3f220c592f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a5c7fc09f848e33f15bea3f220c592f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\153F397.bat" "C:\Users\Admin\AppData\Local\Temp\3a5c7fc09f848e33f15bea3f220c592f_JaffaCakes118.exe""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CD Open Check" /t REG_SZ /d "C:\Windows\system32\Exp.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\153F397.bat

Filesize
5KB

MD5
5b7aa667d4b86b52f3a0c1f5f1f3916f

SHA1
202f190a60fb344a7698d94647e3ce0d5b2911d4

SHA256
546893bba52d79199181aff088b11ebaed6ce112df120d0c15061d7f78af4455

SHA512
7b766bcef70fb559234508905ba0bb24936e530f6252d98c7dc841e2c244a47bcbc846256fa5ae8298bb0099b1e3f84ab35437182e6ed1f8df81c3c07e92da1e

Download Submit
memory/1532-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads