f47e4d46d4f3b2e197975cef55634dab7b8f13e8d0bdadab5f04f0ca5cbd0368

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
Size

133KB
MD5

3f6700f557b1e20eb8f647f79dacfa38
SHA1

429e2d5eb15694f5a0ec4ea1b1397a6fc769255b
SHA256

f47e4d46d4f3b2e197975cef55634dab7b8f13e8d0bdadab5f04f0ca5cbd0368
SHA512

8839e8b95a6aae7d6056d3e16fcd0287eba1ab1c21774fdf0f31f9ac20c52cb2827df7201f1d5eddaa8e9ea4624d4342ff625c6bce43d41e4576c1abd08e48ca
SSDEEP

3072:+kwfBWX/oJGBhKcXsqog9SFXOgT2i20y5PuhHDS/Vg:s+IksqofhKlaHDS/V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	Xxuxea.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Xxuxea.exe	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
File opened for modification	C:\Windows\Xxuxea.exe	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Xxuxea.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Xxuxea.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Main	Xxuxea.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\International	Xxuxea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe
2624	Xxuxea.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4380	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
2624	Xxuxea.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 2624	4380	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe	86
PID 4380 wrote to memory of 2624	4380	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe	86
PID 4380 wrote to memory of 2624	4380	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\Xxuxea.exe
  C:\Windows\Xxuxea.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
7570cfd866478073bed3edf39dceb506

SHA1
1f7dc853a42796d93ecc2ab999f2bf1feb44402a

SHA256
33f6a1f24c928211b26fc8e03fd7755f04ec2bb358a5feb0280ee7539429afc0

SHA512
7e751c09ea581d453e59882da2afd775bf9a1a5b1607e23f4b697f120c1808498f9220beafd25687cdcb4131da6af27179f6171fd67afa6f8c371869661212db

Download Submit
C:\Windows\Xxuxea.exe

Filesize
133KB

MD5
3f6700f557b1e20eb8f647f79dacfa38

SHA1
429e2d5eb15694f5a0ec4ea1b1397a6fc769255b

SHA256
f47e4d46d4f3b2e197975cef55634dab7b8f13e8d0bdadab5f04f0ca5cbd0368

SHA512
8839e8b95a6aae7d6056d3e16fcd0287eba1ab1c21774fdf0f31f9ac20c52cb2827df7201f1d5eddaa8e9ea4624d4342ff625c6bce43d41e4576c1abd08e48ca

Download Submit
memory/2624-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-95667-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-95668-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-95669-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-95670-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-95672-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-95676-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-0-0x00000000021A0000-0x00000000021BD000-memory.dmp

Filesize
116KB

Download
memory/4380-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download