da00652708b848d7f9056b814a742cfd0f6ea90a22a084b6f9527623d2ae913e

Analysis

max time kernel
141s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 12:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe
Size

70KB
MD5

49c975cc9d7f2917b0fcce4155703dc1
SHA1

d5005c0a371889dc85dffa8af209b5337780832c
SHA256

da00652708b848d7f9056b814a742cfd0f6ea90a22a084b6f9527623d2ae913e
SHA512

181abe081ff1dced024d3541ae6f312c952695b0759367e9918e344c0519accd0d10a743271f5a3d996466a6f723fcd764b1c072332fd68c7217814e63a747fa
SSDEEP

1536:NLN9c3B9xKsKBC5g+ilThc2RVGhhdeSBJ:NLN9cx9UsKoS+eTfRqeS

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mapdiag = "C:\\ProgramData\\mapdiag.exe"	49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mapdiag = "C:\\ProgramData\\mapdiag.exe"	49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fcdefrag = "C:\\Users\\Admin\\AppData\\Roaming\\fcdefrag.exe"	49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcdefrag = "C:\\Users\\Admin\\AppData\\Roaming\\fcdefrag.exe"	49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3652	49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe
3652	49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49c975cc9d7f2917b0fcce4155703dc1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3652-0-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download
memory/3652-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3652-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3652-14-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads