baf55150578e77f3624eacb7e912aba43744765e18a73d91f2987d36f326c426

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42b9e379dd98f35e835daaa337f00f81_JaffaCakes118.exe
Size

593KB
MD5

42b9e379dd98f35e835daaa337f00f81
SHA1

1946a7c1f6e03e4b8470e72b9b20b56281a25d2e
SHA256

baf55150578e77f3624eacb7e912aba43744765e18a73d91f2987d36f326c426
SHA512

d50d9e223a8a36c726bb17701123503f44bc753614360d7fcf3c070bf9ebf59f1d9fa4e41a9d08d40760c76fdd2ecc9724dae00c365767806e715b0f9165e1d1
SSDEEP

12288:YNMZOYU4xKCkdeX426F3Z4mxx07sIcOa/Y91TVKdX92:uMZHK7K426QmXqsINwrN92

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2476	realplay.cmd

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Real\RealPlayer\NtmsSvc\realplay.cmd	42b9e379dd98f35e835daaa337f00f81_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Real\RealPlayer\NtmsSvc\realplay.cmd	42b9e379dd98f35e835daaa337f00f81_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	42b9e379dd98f35e835daaa337f00f81_JaffaCakes118.exe
Token: SeDebugPrivilege	2476	realplay.cmd

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2476	realplay.cmd

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2732	2476	realplay.cmd	87
PID 2476 wrote to memory of 2732	2476	realplay.cmd	87

C:\Users\Admin\AppData\Local\Temp\42b9e379dd98f35e835daaa337f00f81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42b9e379dd98f35e835daaa337f00f81_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Program Files (x86)\Real\RealPlayer\NtmsSvc\realplay.cmd
"C:\Program Files (x86)\Real\RealPlayer\NtmsSvc\realplay.cmd"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Real\RealPlayer\NtmsSvc\realplay.cmd

Filesize
593KB

MD5
42b9e379dd98f35e835daaa337f00f81

SHA1
1946a7c1f6e03e4b8470e72b9b20b56281a25d2e

SHA256
baf55150578e77f3624eacb7e912aba43744765e18a73d91f2987d36f326c426

SHA512
d50d9e223a8a36c726bb17701123503f44bc753614360d7fcf3c070bf9ebf59f1d9fa4e41a9d08d40760c76fdd2ecc9724dae00c365767806e715b0f9165e1d1

Download Submit
memory/2476-28-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2476-25-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/4052-9-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4052-7-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4052-18-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4052-17-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4052-16-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4052-11-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4052-10-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4052-0-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/4052-8-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4052-19-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4052-6-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4052-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4052-4-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4052-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4052-2-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4052-12-0x00000000034B0000-0x00000000034B4000-memory.dmp

Filesize
16KB

Download
memory/4052-24-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/4052-23-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/4052-13-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/4052-1-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download