5dcbd9390fdecc784283fafce4c2f1a5f396d314630bfc8849477e0dd569db89

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe
Size

13.9MB
MD5

3fdb952bf83b7e8caf5e8342e65fcdad
SHA1

ff39bc7215fc60ffd1bab484f079eba19bc430ce
SHA256

5dcbd9390fdecc784283fafce4c2f1a5f396d314630bfc8849477e0dd569db89
SHA512

f4939f7ebade4ad8c9982dbf954a90d5edac007c7425c1b0e4d79f223175183c38878356f6d3483526cd2c766a8e1120448403ed9f9858244ec6306cd198f23e
SSDEEP

393216:wFGoQXZZXWZS/P41coHUPL/GwkNWtQ/J41W8PW:Vo+bXWZS/PAckUzuWm4PPW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1376	tkD92B.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 3656	1376	tkD92B.tmp	88

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\IspiHostAdmin.exe = "11000"	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe
3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe
3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe
3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe
3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe
3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1376	3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe	86
PID 3040 wrote to memory of 1376	3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe	86
PID 3040 wrote to memory of 1376	3040	3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe	86
PID 1376 wrote to memory of 3656	1376	tkD92B.tmp	88
PID 1376 wrote to memory of 3656	1376	tkD92B.tmp	88
PID 1376 wrote to memory of 3656	1376	tkD92B.tmp	88
PID 1376 wrote to memory of 3656	1376	tkD92B.tmp	88

C:\Users\Admin\AppData\Local\Temp\3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fdb952bf83b7e8caf5e8342e65fcdad_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\tkD92B.tmp
  C:\Users\Admin\AppData\Local\Temp\tkD92B.tmp /p:3040 /t:3000
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tkD92B.tmp

Filesize
23KB

MD5
492892e94423c01fa24b56122493f931

SHA1
090ed869a7f5965709e5acd74215eccc297f3ecf

SHA256
191d2dbadf13e649f30b8996615bf4fba9c8f687ec832c2e881369e2e4b581df

SHA512
9eeb0176426e0b05f6861e7e0acb6a22b783925c610207ff0d12eb654c36e8c3265bebb5f555f8c41490bbd28d92b12dc8df6e4d3c5d83f866af09bcdf652421

Download Submit
memory/3040-0-0x0000000000E00000-0x000000000307A000-memory.dmp

Filesize
34.5MB

Download
memory/3040-2-0x0000000000E01000-0x000000000159C000-memory.dmp

Filesize
7.6MB

Download
memory/3040-1-0x0000000000E00000-0x000000000307A000-memory.dmp

Filesize
34.5MB

Download
memory/3040-4-0x0000000000E00000-0x000000000307A000-memory.dmp

Filesize
34.5MB

Download
memory/3040-5-0x0000000000E00000-0x000000000307A000-memory.dmp

Filesize
34.5MB

Download
memory/3040-11-0x0000000000E00000-0x000000000307A000-memory.dmp

Filesize
34.5MB

Download