b2ad799f939e04e3ed45a79ee1560ec5f0b7d29ba3b1fc4cb3854b756c1c0e8b

Analysis

max time kernel
91s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 15:04

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe
Size

24KB
MD5

422faaf76fbbd5c696e24718328bd066
SHA1

e1b85574f4613154c58e5d68aa6aeb51fc79a261
SHA256

b2ad799f939e04e3ed45a79ee1560ec5f0b7d29ba3b1fc4cb3854b756c1c0e8b
SHA512

9745b3a601991af773b8db5b8e16afe311a5d088bdc9b3fe93b39c2551286244983e1a6369892b0e65b49b302281b28769eb72bf81ed587ccd65858af722a71e
SSDEEP

768:41NAUsbxtT6sFst/3IrdlLUwn9nbcuyD7U+rO:41NAUwtT6sFstwrbUQnouy8QO

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4164-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4164-4-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4164-9-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "74"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
4368	PING.EXE
2984	PING.EXE
1120	PING.EXE
3508	PING.EXE
656	PING.EXE
3188	PING.EXE
1720	PING.EXE
2100	PING.EXE
1112	PING.EXE
2692	PING.EXE
3204	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2600	shutdown.exe
Token: SeRemoteShutdownPrivilege	2600	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4436	LogonUI.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2472	4164	422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe	85
PID 4164 wrote to memory of 2472	4164	422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe	85
PID 4164 wrote to memory of 2472	4164	422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe	85
PID 2472 wrote to memory of 1720	2472	cmd.exe	86
PID 2472 wrote to memory of 1720	2472	cmd.exe	86
PID 2472 wrote to memory of 1720	2472	cmd.exe	86
PID 2472 wrote to memory of 2100	2472	cmd.exe	89
PID 2472 wrote to memory of 2100	2472	cmd.exe	89
PID 2472 wrote to memory of 2100	2472	cmd.exe	89
PID 2472 wrote to memory of 2692	2472	cmd.exe	90
PID 2472 wrote to memory of 2692	2472	cmd.exe	90
PID 2472 wrote to memory of 2692	2472	cmd.exe	90
PID 2472 wrote to memory of 3204	2472	cmd.exe	91
PID 2472 wrote to memory of 3204	2472	cmd.exe	91
PID 2472 wrote to memory of 3204	2472	cmd.exe	91
PID 2472 wrote to memory of 5040	2472	cmd.exe	92
PID 2472 wrote to memory of 5040	2472	cmd.exe	92
PID 2472 wrote to memory of 5040	2472	cmd.exe	92
PID 2472 wrote to memory of 4368	2472	cmd.exe	96
PID 2472 wrote to memory of 4368	2472	cmd.exe	96
PID 2472 wrote to memory of 4368	2472	cmd.exe	96
PID 2472 wrote to memory of 2984	2472	cmd.exe	97
PID 2472 wrote to memory of 2984	2472	cmd.exe	97
PID 2472 wrote to memory of 2984	2472	cmd.exe	97
PID 2472 wrote to memory of 1112	2472	cmd.exe	98
PID 2472 wrote to memory of 1112	2472	cmd.exe	98
PID 2472 wrote to memory of 1112	2472	cmd.exe	98
PID 2472 wrote to memory of 1120	2472	cmd.exe	99
PID 2472 wrote to memory of 1120	2472	cmd.exe	99
PID 2472 wrote to memory of 1120	2472	cmd.exe	99
PID 2472 wrote to memory of 3508	2472	cmd.exe	100
PID 2472 wrote to memory of 3508	2472	cmd.exe	100
PID 2472 wrote to memory of 3508	2472	cmd.exe	100
PID 2472 wrote to memory of 656	2472	cmd.exe	101
PID 2472 wrote to memory of 656	2472	cmd.exe	101
PID 2472 wrote to memory of 656	2472	cmd.exe	101
PID 2472 wrote to memory of 3188	2472	cmd.exe	102
PID 2472 wrote to memory of 3188	2472	cmd.exe	102
PID 2472 wrote to memory of 3188	2472	cmd.exe	102
PID 2472 wrote to memory of 2600	2472	cmd.exe	103
PID 2472 wrote to memory of 2600	2472	cmd.exe	103
PID 2472 wrote to memory of 2600	2472	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\422faaf76fbbd5c696e24718328bd066_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B19.tmp\PC Guard Antivirus 2010.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1720
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2100
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2692
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:3204
- - C:\Windows\SysWOW64\tree.com
    tree
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:4368
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:2984
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1112
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:1120
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:3508
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:656
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 6
    3⤵
    - Runs ping.exe
    PID:3188
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 30 -c "Riavvio del PC per la completa rimozione, grazie per aver usato il nostro prodotto!"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2600

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3944055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B19.tmp\PC Guard Antivirus 2010.bat

Filesize
882B

MD5
f75f1ccf45f1f9073a16cd332a195186

SHA1
af990311e363864111b5f2a334c01fb36b368453

SHA256
086875dc456de3c3ea211c2365d659ed50354951a3cc705fdf11a954563842b8

SHA512
6289abf8a0ea0202ff2ad33c48a6632c0782d7d5d08ade72274c9acfe08ba7cd70d3984cce7e49a88ffe86240f1f0fc4e54c67cd24a43366842bdc2901cd8832

Download Submit
memory/4164-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4164-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4164-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download