be2266c391ca3e7e1eb90e30cd2a0de3bedd7919278722aeaa10d8718fdc3d64

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Size

19KB
MD5

3b60b3da4433c4598ee2ac4b99c1ecc5
SHA1

cacb82dedf2d1fe8a4fc9a77d358ffbf60e99403
SHA256

be2266c391ca3e7e1eb90e30cd2a0de3bedd7919278722aeaa10d8718fdc3d64
SHA512

a98883fb43595194b5a68f146f4c3149491ad3ea04385fd2a6be513f3ba7de2055e85858fc4fbdabac61ddf468d4d62be317719f8f531a713d573b71b9dccf49
SSDEEP

384:iQLUsKgu5M8yRcbCvtPwCSxSyZYRLQe4tKIqeA24/VcBm1KfzF/YkDA3x:xsv5EGmS/xSy+n9/J1KtYkDA3x

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tf0	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wyrsdj.dll.LoG	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wyrsdj.dll	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}\ = "MICROSOFT"	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}\InProcServer32	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}\InProcServer32\ = "C:\\Windows\\SysWow64\\wyrsdj.dll"	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}\InProcServer32\ThreadingModel = "Apartment"	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Token: SeRestorePrivilege	3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Token: SeBackupPrivilege	3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
Token: SeRestorePrivilege	3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
3632	3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b60b3da4433c4598ee2ac4b99c1ecc5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wyrsdj.dll

Filesize
220KB

MD5
36244bf32b9cb1f5ac29297a429ec9c0

SHA1
5762a0f924d8f30f428467238558d76d5246aa44

SHA256
030af8c4ccfd0f77382213b0549b2334d74f82b8aeb2906b8293e41b63dacc87

SHA512
a231a1cf180cd698d6e30c7add191c20b7d24458392bfc81e4d5f3f3e0835a18431f1dcfe630db4fcd89e80f6aedc3108a680c1e622107eb3454e7a33a5d5f33

Download Submit
memory/3632-4-0x00000000008C0000-0x00000000008CD000-memory.dmp

Filesize
52KB

Download
memory/3632-8-0x00000000008C0000-0x00000000008CD000-memory.dmp

Filesize
52KB

Download