317bcc348c57cb035822587c0a12e95e93517fccff0eb4c3263de5ed674d1a7f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe
Size

49KB
MD5

3cf0c08b20d1841cf3992f76987b3d64
SHA1

3643e32dc10090c2b189ed15712fc9019be9902d
SHA256

317bcc348c57cb035822587c0a12e95e93517fccff0eb4c3263de5ed674d1a7f
SHA512

0d3970ec5fb393249657c5a3154d8e28aa9c8332a3897edbf21ea85ad47af127a3efccc307bfd99f919016f421229196608bd0442e9c82c044ec4ad789a9ae36
SSDEEP

1536:pEFjc66Dsp396h2+0mR0a5JdsG4gHKs+85c/vN:p6m03uF1NGG4gqs+vXN

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	1788	rundll32.exe
22	1788	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe
1788	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\tuvSighf.dll,#1"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tuvSighf.dll	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tuvSighf.dll	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xxyawvSj.dll	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\tuvSighf.dll"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe
3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 612	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe	5
PID 3832 wrote to memory of 1788	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe	90
PID 3832 wrote to memory of 1788	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe	90
PID 3832 wrote to memory of 1788	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe	90
PID 3832 wrote to memory of 4764	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe	91
PID 3832 wrote to memory of 4764	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe	91
PID 3832 wrote to memory of 4764	3832	3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe	91
PID 1788 wrote to memory of 2388	1788	rundll32.exe	93
PID 1788 wrote to memory of 2388	1788	rundll32.exe	93
PID 1788 wrote to memory of 2388	1788	rundll32.exe	93

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\tuvSighf.dll,a
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\xxyawvSj.dll",s
    3⤵
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nnnmkLEv.bat "C:\Users\Admin\AppData\Local\Temp\3cf0c08b20d1841cf3992f76987b3d64_JaffaCakes118.exe"
  2⤵
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nnnmkLEv.bat

Filesize
63B

MD5
1905985d50a437b54c0806283bc35a62

SHA1
7807ff472c78426f25ca6eac5f316f21a6e937b8

SHA256
6eb339f8ebcb76b31c5cf4d3dae918143033a3d268d104d12c29892ab35a942c

SHA512
8acc3806e3e14d81092c2b85100c564791dd957917294623a98ae2f06ab041e0fe900594d7feb0b12d372b6c6e811bbf0ab6d8e02a639a72be6b9ac48ee6c2bf

Download Submit
C:\Windows\SysWOW64\tuvSighf.dll

Filesize
36KB

MD5
5971e9fd476c6e2881f25bbcfce21107

SHA1
e4208bb5cfb6f3a841be2628e0e22974f1413709

SHA256
384667996d4467ae579c39748bc6b4793ac8af1e8256dc9a1fa85b2454b81507

SHA512
4cb39b498b68e6e8751d67715fe4940f647662a315ad3217d088c8dfb13c8b150b3900947a62a7d7a7edd467dfad0e8d5fbbbffb923885acc530f5540e373da5

Download Submit
C:\Windows\SysWOW64\xxyawvSj.dll

Filesize
1KB

MD5
cd4e3994680721e241592de6a47e8c8e

SHA1
572be4d41164bed61d8dfa36c532759ef84d9972

SHA256
e75ab8fc58409fc7a6aae66133dec54484030c63416d59b7e487b097887c41b5

SHA512
0f87a4b97e4a50a2d27af5dafff7ed5f32b29f4babffe620bf9eb381f5c03ca91228253f0541bb2c8fc958c50c073526d97824786ef493ccf0ea7bff1051c94c

Download Submit
memory/1788-20-0x0000000001250000-0x0000000001255000-memory.dmp

Filesize
20KB

Download
memory/1788-19-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1788-27-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3832-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3832-1-0x00000000005C0000-0x00000000005C5000-memory.dmp

Filesize
20KB

Download
memory/3832-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3832-8-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3832-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3832-11-0x00000000005C0000-0x00000000005C5000-memory.dmp

Filesize
20KB

Download