aac45dc884e2c97308c0ce79fc0061e4e881fa4bb627c0fa2c1d30782718e4f8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a54871c4cd8e31a39816aa19d82949_JaffaCakes118.exe
Size

92KB
MD5

49a54871c4cd8e31a39816aa19d82949
SHA1

30e536150e3cd4c7f95eb50e22b72a6595efc4b1
SHA256

aac45dc884e2c97308c0ce79fc0061e4e881fa4bb627c0fa2c1d30782718e4f8
SHA512

b6c187fa3adee39fd866d3b6c2913f316e72dd666d306f0736815d0b07689454208fcb633c918e53398d22b3d376ea0ae310c022d13263f3f630cc912d945fa2
SSDEEP

1536:Q2IdoVafg6XQ+baSdXhayjw6xVTPxZjfVqLdoz3kBxxK2reuYsZY5O4WP1c/XtNY:Q2IOMfg6XQ+baGhayjw6xVTPxZzVqLdl

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4272	rundll32.exe
3464	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oceyazopesiqaso = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\MCofcmab.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4272	4800	49a54871c4cd8e31a39816aa19d82949_JaffaCakes118.exe	84
PID 4800 wrote to memory of 4272	4800	49a54871c4cd8e31a39816aa19d82949_JaffaCakes118.exe	84
PID 4800 wrote to memory of 4272	4800	49a54871c4cd8e31a39816aa19d82949_JaffaCakes118.exe	84
PID 4272 wrote to memory of 3464	4272	rundll32.exe	89
PID 4272 wrote to memory of 3464	4272	rundll32.exe	89
PID 4272 wrote to memory of 3464	4272	rundll32.exe	89

C:\Users\Admin\AppData\Local\Temp\49a54871c4cd8e31a39816aa19d82949_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49a54871c4cd8e31a39816aa19d82949_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\MCofcmab.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\MCofcmab.dll",iep
    3⤵
    - Loads dropped DLL
    PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MCofcmab.dll

Filesize
92KB

MD5
a2e134fc855fed02661debb127a9ba4c

SHA1
5acb10508cd2b0cabd2ea9b00e261b5a88f3979c

SHA256
80f60717745b3be31d7d0ad0e16db42d9e174054cd71087964ade144d99928a7

SHA512
a4360def2f93b9620e1248af60be82d74f9c83c02d49548b4cc080f0f0b95cbc20167a55fd1f37492e5412ec77473a9326d5f720af854f0a709d860adcfc90e6

Download Submit
memory/3464-23-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/3464-28-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/3464-29-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/3464-25-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/3464-22-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/4272-8-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/4272-24-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4272-11-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4272-7-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4272-9-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/4272-17-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/4272-16-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/4272-21-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4800-15-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4800-1-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4800-10-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4800-14-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4800-2-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4800-0-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download