f2257921b227f1202b8976f99417bb54e204f97f6be6ecf00ae4b9c91f1c9eaf

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe
Size

19KB
MD5

42751bec7b992404f085fe03a28a6bdc
SHA1

0c1413b48ebc1925f9bee97b19f052a5c48e9351
SHA256

f2257921b227f1202b8976f99417bb54e204f97f6be6ecf00ae4b9c91f1c9eaf
SHA512

2ca0577fa957ae2858807183510c8d63bb3f1ab5ee9202d5bb0894ea26cbd597189925aad30f2d2920ca78373b4772fa8b397fcf6b429bc99ae92033b71d4ad7
SSDEEP

192:TIO6tvzDfDykdHIijKePASvs/R6NJUkBBctF3Uc09qb6T9W:TNU7D1d4Svs/R6NCD8c09KO

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1444	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Online Service = "C:\\Windows\\svchost.exe"	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msto32.dll	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe
File opened for modification	C:\Windows\sysini.ini	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe
File opened for modification	C:\Windows\sysini.ini	svchost.exe
File created	C:\Windows\svchost.exe	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4896	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe
4896	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1444	4896	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe	88
PID 4896 wrote to memory of 1444	4896	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe	88
PID 4896 wrote to memory of 1444	4896	42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42751bec7b992404f085fe03a28a6bdc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msto32.dll

Filesize
3KB

MD5
106542e56412f98a0c71288813194c33

SHA1
55562e17c41f983ce27e5cc33939ca1840d54acd

SHA256
595e3e4fffda5e8b9a668c1e56d1c174e1426f70408456ddef4ef0bd4bcd0f3f

SHA512
4be384a1fbb7e70149b56ae8033b020e5e2afca9ee86e0ad2ec9dfc893b5317a29618d2f1079c963752345f1c198321fa5e020c178ffb19834bdf142523f1aa5

Download Submit
C:\Windows\svchost.exe

Filesize
11KB

MD5
660f8103b5030126b2c8047da1545ae1

SHA1
bc5753d6283227f9f61091465a65d30beb5badcc

SHA256
0dae96ceb4ffa2697cb2637d5d8600c221d94ac876776ddbe78a8564229effca

SHA512
e3580e3f1c34559400bce70c053ff2d13c130b220c8df6aa930e4cf1696b6101a0def7c0ff11bdf604ba6aff7d49843dc8ed9715375fd44eea967fd872475ae7

Download Submit
C:\Windows\sysini.ini

Filesize
42B

MD5
01f5641239c88d486028c4fecab2169d

SHA1
98b737ba0e731c1bc804900d34598e0a00b9faaa

SHA256
95edd82a58e7338cbfc267f71614f48ef7a2434f5f635e8d622f5de1a5a0f6f3

SHA512
7fe732228ae1dfdfc2eca0febd2bf389606f078449a872fde97996befe628216f13bcbc673592fd185360485894ed5befb9bcf8d278eb1fe399367d0e5d480b2

Download Submit