10d2a8c67ed0682d61a1178b3c9f6d021eee72e6444b31749e43feabe990851c

Analysis

max time kernel
92s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
Size

112KB
MD5

4b5c15011162caa9163748758048c8c9
SHA1

283c30de200afb9c607203f9677771e351b8d625
SHA256

10d2a8c67ed0682d61a1178b3c9f6d021eee72e6444b31749e43feabe990851c
SHA512

360f14ecaf1abf528757db896927331be38f9bcdc49cb181d2438f67cb802f63d8630950b2f2791e0ce2a8748b56912ddac015cae614280ac3034907ae342dbc
SSDEEP

1536:95LO7C3P3CO9Lgl9hqC6z7nO14WPjFrJf:95eAP3COafwm1R

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12345678-xyj-14d0-89bb-0090ce808666}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12345678-xyj-14d0-89bb-0090ce808666}\StubPath = "C:\\WINDOWS\\system32\\xyj.bat"	regedit.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\xyj.bat	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sunxyj.bat	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xyj.dll	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xyj.reg	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\system\svchost.exe	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2608	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 5064	3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe	83
PID 3632 wrote to memory of 5064	3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe	83
PID 3632 wrote to memory of 5064	3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe	83
PID 3632 wrote to memory of 4624	3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe	84
PID 3632 wrote to memory of 4624	3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe	84
PID 3632 wrote to memory of 4624	3632	4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe	84
PID 4624 wrote to memory of 2608	4624	cmd.exe	87
PID 4624 wrote to memory of 2608	4624	cmd.exe	87
PID 4624 wrote to memory of 2608	4624	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3632
- C:\WINDOWS\system\svchost.exe
  C:\WINDOWS\system\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\sunxyj.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s xyj.reg
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Runs .reg file with regedit
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\sunxyj.bat

Filesize
22B

MD5
a5e1a8facc10b673d42e4bca6d007287

SHA1
281a0d5319067f066455b0a0b9aa6c6492aec6d2

SHA256
b2edc50f3a9a79032dde68bc5cd2491127a70488dc8bd539fbef4186e73bcb11

SHA512
cec914883513ad1e5338ff985375a762d047e0992fa9d9aa6cd4e18e9dee3ae57da1cf70a9e2702f22fbddb9bda46ae459f6e6e9dd6391c21253e2924d40843c

Download Submit
C:\Windows\SysWOW64\xyj.reg

Filesize
309B

MD5
79081c86f5fa286cb4465092a368fec5

SHA1
a8eecb7150985c8bf945ec10257a7aa43869c3fd

SHA256
267958578f32313ef5185714a6a85955c6dd52342a2cc1e36b9df240eeec0625

SHA512
aa430d8bd1fa7789ad781f6456e03c57cf110ac03485b810a2332695776eb3434810dbaa92d7907f86127577e8cc622deb4a69f99a46b4aa6e359fd7e9b1f42a

Download Submit
C:\Windows\System\svchost.exe

Filesize
40KB

MD5
f878619f7e8438ba39f23529a45d17d4

SHA1
c69f80fa4489e376106b79d61c08cc97c00ef29f

SHA256
f40ae7cdaf6b5201b39d6046fdb95bcacf4ba8059534306de2a947a8b9567ef1

SHA512
a4f07159a15542ddee486081703649bf8fdc8dd5f4dbf6e80f29b0de6aa0a70ab74a90728a3f64333d65534cbe3b444ce9db823f5c2bcb6dc76f027297972ab0

Download Submit