61a41bce35be1e2a3bf9081353b2d2ad9aa20694483d226bb04e4fdd8633bcf6

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 08:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4107e4556eda29e0c81c33b0197c9010_JaffaCakes118.exe
Size

162KB
MD5

4107e4556eda29e0c81c33b0197c9010
SHA1

696aca6ab6fca985985591e8a0fff7b30abeed63
SHA256

61a41bce35be1e2a3bf9081353b2d2ad9aa20694483d226bb04e4fdd8633bcf6
SHA512

80e0b95452659afb4b81df576ddbc0c449448111f82b84e854d637ebd19b8cf5880c5055c742d726408ff36efe35226183c9211231a783255e92a53cee7b0e58
SSDEEP

3072:uuxkZuTXJe6p6e079QRwDA7VTxIbOfWRakPcKXPf:uSE6we0RQsA71ibOusQtPf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234b4-4.dat	nsis_installer_1
behavioral2/files/0x00070000000234b4-4.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe
3020	Au_.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	Au_.exe
Token: SeDebugPrivilege	3020	Au_.exe
Token: SeDebugPrivilege	3020	Au_.exe
Token: SeDebugPrivilege	3020	Au_.exe
Token: SeDebugPrivilege	3020	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3020	4736	4107e4556eda29e0c81c33b0197c9010_JaffaCakes118.exe	85
PID 4736 wrote to memory of 3020	4736	4107e4556eda29e0c81c33b0197c9010_JaffaCakes118.exe	85
PID 4736 wrote to memory of 3020	4736	4107e4556eda29e0c81c33b0197c9010_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\4107e4556eda29e0c81c33b0197c9010_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4107e4556eda29e0c81c33b0197c9010_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsvD4F5.tmp\ComSetup.dll

Filesize
174KB

MD5
ed1cddf37989bee6a30d0e8367267f6a

SHA1
4d4e8e4f63ded7f70d937dc44182608a1de634e0

SHA256
4d0cd88695cc209b042bd98d682373efa76b3d442d361f92606149a55b09909a

SHA512
a5ddb11af1025ba435d67051eab50f7f0831005e05408acec1a22bd0289a34207f9e0ef8bd6b0b6c2437d76003713b1dbc8b2923461327206ce29cd5f035a5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvD4F5.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvD4F5.tmp\ioSpecial.ini

Filesize
1KB

MD5
e779048cb47df997e125745d70f509db

SHA1
e06cf885af6c70016b79d6f1785cbd7f603222dc

SHA256
923cbf91d6cf3196aa773853805ddb33ade5ba40ff3f9b41355aa727b86d30c0

SHA512
e25c6203540f18b3b8b79013decc652c83676b13f0ba935337213041134fce76810c56991d1ebdcac762e009ea56532093d9734d86b7e4acc1a96c13d9125e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvD4F5.tmp\ioSpecial.ini

Filesize
568B

MD5
ea2ee5690c2dbc3c377a008945727eeb

SHA1
edfdd06ee903ae17839bd87c2fc4940751e61c59

SHA256
2c09ad1f7e4d4a73adfcac85a1c0a5720a7817bfa247fef13852ad165c4c8c90

SHA512
1b89e5becff27c431226c63cd669562b98290d0d0f9055db40a2a721f4b0097b4ef95eb3ed42db7c2d21a1817328f191bccfb102a31ba548c1a632ceec6f7e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvD4F5.tmp\ioSpecial.ini

Filesize
993B

MD5
80d63919b65c48db8e92f5dbf2450f0e

SHA1
7bd1cb0d21a647e0417112b4af0ef7ddd147908e

SHA256
adf5d6e7efbc46020cd6854c8fd0697f09dd35a118d450b08276a5cca32856d5

SHA512
6fda2c2a606f22b6c11240c3caaf293e728b4dad54b570b04b06216b2641b9670ecd50a9411bdd544db415b0b6734e55dc7f910cb1e6c67401655a7effd7bcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
162KB

MD5
4107e4556eda29e0c81c33b0197c9010

SHA1
696aca6ab6fca985985591e8a0fff7b30abeed63

SHA256
61a41bce35be1e2a3bf9081353b2d2ad9aa20694483d226bb04e4fdd8633bcf6

SHA512
80e0b95452659afb4b81df576ddbc0c449448111f82b84e854d637ebd19b8cf5880c5055c742d726408ff36efe35226183c9211231a783255e92a53cee7b0e58

Download Submit