90e081170de55b8179af30a8616f80f0de94410f75aed46c0e4e1743642e5bff

Analysis

max time kernel
142s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe
Size

2.3MB
MD5

5dc21a4331c92fcaa5855af2cc9bd099
SHA1

d3100bf280c5909a1bcd137523979e15f62c7b05
SHA256

90e081170de55b8179af30a8616f80f0de94410f75aed46c0e4e1743642e5bff
SHA512

6ccd1c72ea5205ae3d9f0a365a16aafe44f80c8e80095a0fb0317fae20fd114004e31f8ea291fe027d944a1f4c084962744cd9bfe1a74b12f36db3a349a89898
SSDEEP

49152:tDvieMu44n0kv9SNleaOmC1KJGles6SqdyPpCiQjzBsbyWIAQA9Se1WB:keELkv9SXpfGD6tQBuEyWNPse1A

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2528	svchost.exe
2064	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe
4328	svchost.exe
2756	is-G4V14.tmp

Loads dropped DLL 1 IoCs

pid	Process
2756	is-G4V14.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2528	4852	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe	84
PID 4852 wrote to memory of 2528	4852	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe	84
PID 4852 wrote to memory of 2528	4852	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe	84
PID 2528 wrote to memory of 2064	2528	svchost.exe	85
PID 2528 wrote to memory of 2064	2528	svchost.exe	85
PID 2528 wrote to memory of 2064	2528	svchost.exe	85
PID 2064 wrote to memory of 2756	2064	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe	87
PID 2064 wrote to memory of 2756	2064	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe	87
PID 2064 wrote to memory of 2756	2064	5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\is-2NIHH.tmp\is-G4V14.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2NIHH.tmp\is-G4V14.tmp" /SL4 $70048 "C:\Users\Admin\AppData\Local\Temp\5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe" 2075926 52736
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2756

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5dc21a4331c92fcaa5855af2cc9bd099_JaffaCakes118.exe

Filesize
2.2MB

MD5
9270b280577408dc2be6b4f42c9f8579

SHA1
d9e68355f112dcb2a9659b621c50cacfb7f14489

SHA256
e4a760fe6fd184bfbd6a9164afe7720664ec94bdf04f9996398b68b7ba56d6ef

SHA512
f47f85895d27f049f0d54c71a67264de601a94f6e8ac6eeda89230b0853494f8a7923d9fa8b1363a40f40e68f3f4692db4c873d5849dd337a0017fb674b4968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2NIHH.tmp\is-G4V14.tmp

Filesize
657KB

MD5
3dafb498bb15d5260cb2c12b391a0d48

SHA1
c775ae9fdf18ab0ce38a8adffabe378f461e79a1

SHA256
c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a

SHA512
a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PHN7A.tmp\saction.dll

Filesize
256KB

MD5
26184b7c6cdfcce0df38351781e1ef90

SHA1
da67d3f3d710a57383dc7187fd23704f283106de

SHA256
c7d0d6600790f5f95a098b1e565b54521c53175d8cf29b07145fffe9d36fa01d

SHA512
c35848b7b0377b8430cb1a50cbbb0f1d81cb496b26c56f680581f4629730167b90d631708cd88639cb3373d5db33681c622230b119537ab2073444fd2d859b4e

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/2064-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2064-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2064-17-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2528-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2756-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2756-33-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4328-32-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4328-50-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4328-71-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download