a87738e066b11e8688c51ce2e06305085b00665e10b7505685004f645bb7b1c0

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe
Size

89KB
MD5

43c4336bff02bff4514f2fef458e9236
SHA1

0af33cb074a08b4438568f9144258a7bf8b1be20
SHA256

a87738e066b11e8688c51ce2e06305085b00665e10b7505685004f645bb7b1c0
SHA512

61e03ca1316dca46f693c3e7671d7d8799dad27b5dba720ff4d34f30be10d043cfd75ab270115217c988e4e3cfdfb2072b1ba47d1bfa73ca7e0fd14be0ce52e1
SSDEEP

1536:E8ZCCNJsdtIK9RlgxkRqT5LXKaDmYBRl9mHg:EM079RlEeIKmBRl9mHg

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe
2200	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2200	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe
Token: SeRestorePrivilege	2200	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 5028	2200	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe	86
PID 2200 wrote to memory of 5028	2200	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe	86
PID 2200 wrote to memory of 5028	2200	43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43c4336bff02bff4514f2fef458e9236_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
d4c5a5dd1824437c36d78e68e8c23b36

SHA1
4c1b1b1a454eae08d6eaeb2b1ff5c207b2e1fb59

SHA256
7ccaef49868d1ba0e71c91b815295b8a665b632a43e934d63b8e7e85b6af41c4

SHA512
f81133f2169ad1b939d8359dee1e484c1916986646b91518f9c444816d93e388ff6e0ce2236b9e5926dd7b029cb3b11cd2fa9b1dbdc04e9c82a71b0f560c5df3

Download Submit