1bc82badd73d98a0096c156a32da464080c5c2f547d59283e935fe32a69806a4

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe
Size

125KB
MD5

4724143e7b758926f4dfcb151eb7a29b
SHA1

793960b51e8edb184ce2c62c76adeb87a933e910
SHA256

1bc82badd73d98a0096c156a32da464080c5c2f547d59283e935fe32a69806a4
SHA512

c0fb9b77a217c1708412a7c72d1a9183f6425a03895f3a34ff9e53521cc87e0900f4e6d927bdccfe4cb4595c2391b86c8e1ffd9b2aefe6dfd7497b96fc02fed6
SSDEEP

3072:EJgwBIxhn+dz7diTqkGqcZBUPs7dHNnu3lAzyDJkluJfBd8f:EuwWx8fScnUPey1BtB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	Hcycua.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe
File created	C:\Windows\Hcycua.exe	4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe
File opened for modification	C:\Windows\Hcycua.exe	4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Hcycua.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Hcycua.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	Hcycua.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\International	Hcycua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe
1448	Hcycua.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 1448	4996	4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe	86
PID 4996 wrote to memory of 1448	4996	4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe	86
PID 4996 wrote to memory of 1448	4996	4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4724143e7b758926f4dfcb151eb7a29b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\Hcycua.exe
  C:\Windows\Hcycua.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hcycua.exe

Filesize
125KB

MD5
4724143e7b758926f4dfcb151eb7a29b

SHA1
793960b51e8edb184ce2c62c76adeb87a933e910

SHA256
1bc82badd73d98a0096c156a32da464080c5c2f547d59283e935fe32a69806a4

SHA512
c0fb9b77a217c1708412a7c72d1a9183f6425a03895f3a34ff9e53521cc87e0900f4e6d927bdccfe4cb4595c2391b86c8e1ffd9b2aefe6dfd7497b96fc02fed6

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
d830f35b2e602d5341b4117ebb0266da

SHA1
a12b16a5f4065c5e40e35ff10097642902641950

SHA256
44ba0217ec47e4faaa6fbba7f3033df4b245db36078ab00021385ecabdc24809

SHA512
8fb994338d688f08aeb03d28bd374e5c0d0ca38bcab156f43c4f1ad14412e8ae6a7f7a020ddfda5e429ee4dcd6fce1dd3beb0212a0c09d64fe56ec5d73e7a30a

Download Submit
memory/1448-102085-0x00000000006B0000-0x00000000006DE000-memory.dmp

Filesize
184KB

Download
memory/1448-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-102084-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-102088-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-102090-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-102092-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-102097-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-102105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-101667-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-101666-0x0000000002050000-0x000000000207E000-memory.dmp

Filesize
184KB

Download
memory/4996-0-0x0000000002080000-0x0000000002093000-memory.dmp

Filesize
76KB

Download