2ae39fe94301bab47aea05ab4e121f025b37d1bf331723b7e83bba7006fac609

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe
Size

166KB
MD5

436a5dc35ac6708c2c44de0def8a5372
SHA1

d4d5185808afbab0f8457b56ea13ef605f2b148b
SHA256

2ae39fe94301bab47aea05ab4e121f025b37d1bf331723b7e83bba7006fac609
SHA512

84279699f253710bb2111c9bbae0c820d212c6388e854ca86499fe53998791376db98cce7df90cfa40fc490aae8dfad07589ea84847bd9fc8ee1fc19b83c5ad8
SSDEEP

3072:gdJEwOT0c3Ty4VjGTS8VE5TlhKwcrD0k4cosUzHvEbgCOo/LlKzF7:gnQ0c3TBSVE5rcrok4RzsbgCOo/JC7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
4232	WinSec.exe
2608	WinSec.exe
2120	WinSec.exe
2104	WinSec.exe
2520	WinSec.exe
3900	WinSec.exe
3572	WinSec.exe
4884	WinSec.exe
4312	WinSec.exe
4420	WinSec.exe
4220	WinSec.exe
1584	WinSec.exe
5104	WinSec.exe
2936	WinSec.exe
1860	WinSec.exe
4268	WinSec.exe
4464	WinSec.exe
4328	WinSec.exe
5020	WinSec.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File created	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe
File opened for modification	C:\Windows\SysWOW64\WinSec.exe	WinSec.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 4232 set thread context of 2608	4232	WinSec.exe	89
PID 2120 set thread context of 2104	2120	WinSec.exe	91
PID 2520 set thread context of 3900	2520	WinSec.exe	94
PID 3572 set thread context of 4884	3572	WinSec.exe	97
PID 4312 set thread context of 4420	4312	WinSec.exe	99
PID 4220 set thread context of 1584	4220	WinSec.exe	101
PID 5104 set thread context of 2936	5104	WinSec.exe	103
PID 1860 set thread context of 4268	1860	WinSec.exe	105
PID 4464 set thread context of 4328	4464	WinSec.exe	107

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe
4232	WinSec.exe
2120	WinSec.exe
2520	WinSec.exe
3572	WinSec.exe
4312	WinSec.exe
4220	WinSec.exe
5104	WinSec.exe
1860	WinSec.exe
4464	WinSec.exe
5020	WinSec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 1480 wrote to memory of 3404	1480	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	87
PID 3404 wrote to memory of 4232	3404	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	88
PID 3404 wrote to memory of 4232	3404	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	88
PID 3404 wrote to memory of 4232	3404	436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe	88
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 4232 wrote to memory of 2608	4232	WinSec.exe	89
PID 2608 wrote to memory of 2120	2608	WinSec.exe	90
PID 2608 wrote to memory of 2120	2608	WinSec.exe	90
PID 2608 wrote to memory of 2120	2608	WinSec.exe	90
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2120 wrote to memory of 2104	2120	WinSec.exe	91
PID 2104 wrote to memory of 2520	2104	WinSec.exe	93
PID 2104 wrote to memory of 2520	2104	WinSec.exe	93
PID 2104 wrote to memory of 2520	2104	WinSec.exe	93
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 2520 wrote to memory of 3900	2520	WinSec.exe	94
PID 3900 wrote to memory of 3572	3900	WinSec.exe	96
PID 3900 wrote to memory of 3572	3900	WinSec.exe	96
PID 3900 wrote to memory of 3572	3900	WinSec.exe	96
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 3572 wrote to memory of 4884	3572	WinSec.exe	97
PID 4884 wrote to memory of 4312	4884	WinSec.exe	98
PID 4884 wrote to memory of 4312	4884	WinSec.exe	98
PID 4884 wrote to memory of 4312	4884	WinSec.exe	98
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4312 wrote to memory of 4420	4312	WinSec.exe	99
PID 4420 wrote to memory of 4220	4420	WinSec.exe	100

C:\Users\Admin\AppData\Local\Temp\436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\WinSec.exe
    C:\Windows\system32\WinSec.exe 1008 "C:\Users\Admin\AppData\Local\Temp\436a5dc35ac6708c2c44de0def8a5372_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\SysWOW64\WinSec.exe
      "C:\Windows\SysWOW64\WinSec.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1152 "C:\Windows\SysWOW64\WinSec.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1124 "C:\Windows\SysWOW64\WinSec.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1124 "C:\Windows\SysWOW64\WinSec.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4220
        
        C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1112 "C:\Windows\SysWOW64\WinSec.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1120 "C:\Windows\SysWOW64\WinSec.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 936 "C:\Windows\SysWOW64\WinSec.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Windows\SysWOW64\WinSec.exe
        
        "C:\Windows\SysWOW64\WinSec.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\WinSec.exe
        
        C:\Windows\system32\WinSec.exe 1124 "C:\Windows\SysWOW64\WinSec.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinSec.exe

Filesize
166KB

MD5
436a5dc35ac6708c2c44de0def8a5372

SHA1
d4d5185808afbab0f8457b56ea13ef605f2b148b

SHA256
2ae39fe94301bab47aea05ab4e121f025b37d1bf331723b7e83bba7006fac609

SHA512
84279699f253710bb2111c9bbae0c820d212c6388e854ca86499fe53998791376db98cce7df90cfa40fc490aae8dfad07589ea84847bd9fc8ee1fc19b83c5ad8

Download Submit
memory/1584-66-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2104-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2608-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2608-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2608-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2936-75-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3404-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3404-2-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3404-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3404-4-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3900-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3900-39-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4268-84-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4328-93-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4420-56-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4420-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4884-48-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download