756485c1031bb69312c799e3d34ae0f427ca4e4d01e1d68dfca9540277b680af

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 04:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
Size

115KB
MD5

401ee3776848f590558c50b1810b429c
SHA1

732659dd4df03c1f10daf03461a552f993340e6a
SHA256

756485c1031bb69312c799e3d34ae0f427ca4e4d01e1d68dfca9540277b680af
SHA512

e300b400aea53afcd8afcb1014b7d25f64aa4c1699bb21bbe7774b34841007b205a92903648efd5d3316746285bccf359da697420ffb919b8c61c59e62f63291
SSDEEP

3072:OFIlrQ2hKqXiT+V5XC6vVL7HQmy6dx+fVr5epX:sErQORz5XC6vVLTQ8d

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ryy = "C:\\Windows\\rundl132.exe"	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dlyy.dll	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
File opened for modification	C:\Windows\rundl132.exe	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	3280	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
3280	401ee3776848f590558c50b1810b429c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\401ee3776848f590558c50b1810b429c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\401ee3776848f590558c50b1810b429c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 348
  2⤵
  - Program crash
  PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3280 -ip 3280
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dlyy.dll

Filesize
99KB

MD5
876317963ab1251b077ec8fa6f5e2096

SHA1
3f1c490fe500e52787d7f12da75b803e922ff270

SHA256
e4944e7c11123d4175ca1acb8cba21dbbe9b19a18c610924fa947e75d0e7448b

SHA512
0f357ef792100f08f524e2c43b914f9c39af1534c90ffc22ef10b0f563a4e812ca163f06f2e2c362272fb67dcf5a890eb2d1433e9b812ed111a204e3412cc124

Download Submit
memory/3280-0-0x0000000000800000-0x000000000082A031-memory.dmp

Filesize
168KB

Download
memory/3280-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3280-9-0x0000000002610000-0x000000000266B000-memory.dmp

Filesize
364KB

Download
memory/3280-10-0x0000000000800000-0x000000000082A031-memory.dmp

Filesize
168KB

Download