8bbb560c9f9db0d11a090180ad04b30ca4aa07108d8284d59ae3c39d091a61ed

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
Size

34KB
MD5

4a9c6a14ce99a17219edf560a2f94f20
SHA1

a5b53d5a138fa2e520c1094d60b02ea6e51e7861
SHA256

8bbb560c9f9db0d11a090180ad04b30ca4aa07108d8284d59ae3c39d091a61ed
SHA512

991c4156547c4b7d020f82e14a818c019f45dab4f786edf9b26a0ed01b900220d5796f8b4c5939001a23cde5c53070c72199203c23b301cd2364d283ae324a32
SSDEEP

768:6gsyD43/g9WXl6LEJxaCgxoCyVhrmPDGTRT1JHPkCS:6giv6ul6s6uVhrhRvk3

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3hcyezxfhjw5uhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crasos.exe"	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	4056	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3544	4056	4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4a9c6a14ce99a17219edf560a2f94f20_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 380
    3⤵
    - Program crash
    PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4056 -ip 4056
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Msxo0.dll

Filesize
30KB

MD5
fbe65901daee822ce838789089586d04

SHA1
1c0a1207375c8bf4622dff1117511491f9c4f4fc

SHA256
a4f8d3cbe887545847f6b989e87fafa6b4e33d82520dadba98f177fbd3f7c9f1

SHA512
792454f6475a5331c3c84c774379e3995da0a3e17bcfc491cb350c4009ae65fb4cf250bd4e3b85aa8732afb79d72570fb17d395e18f8d2bf9476219347d750d4

Download Submit
memory/4056-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4056-1-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/4056-9-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4056-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4056-11-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download