b51024aadb73de31e0f7540b125862d2ecad7cefbab5ab66944d4c0453b13c71

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe
Size

609KB
MD5

59f6804172993c2f8a59ace860fb0d84
SHA1

a5b8c86067f75c029dc94fb9f78fba169f6bd5bb
SHA256

b51024aadb73de31e0f7540b125862d2ecad7cefbab5ab66944d4c0453b13c71
SHA512

971728aaa072d858e79d15cc422e2a6ab1d9496438ad0d836e9e053f0dc2d2f47e6930df7ba242f61f300cdab09a3f645d21de4937f0c57cc34749b5d44788aa
SSDEEP

12288:6hw0Sgkid7wuPUYjiwONpuSNqs4dGhWzca4caKFIqZxqO80rAKsp+:6hwp7mcuPUYjiwONpuSNqsCGhWzGKiLw

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\FILEM701.SYS	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FILEMON701\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\Drivers\\FILEM701.SYS"	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FILEMON701\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\FILEM701.SYS"	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000234a4-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe

Loads dropped DLL 2 IoCs

pid	Process
3948	59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe
3948	59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
Token: SeLoadDriverPrivilege	4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
Token: SeLoadDriverPrivilege	4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
Token: SeLoadDriverPrivilege	4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
Token: SeLoadDriverPrivilege	4608	59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3948	59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4608	3948	59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe	85
PID 3948 wrote to memory of 4608	3948	59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe
  "C:\Users\Admin\AppData\Local\Temp\59f6804172993c2f8a59ace860fb0d84_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59f6804172993c2f8a59ace860fb0d84_JaffaCakes11864.exe

Filesize
227KB

MD5
1c4b8101367149babb7df5587b3f5243

SHA1
de36f07b5c4a731e5840bf1299fd3aaf80b096fa

SHA256
65dbf5b9004294986f90b41a9883f6941cc431d13b0b17321389b3772f85132e

SHA512
da83e78e4f0dbc50e180f02e77e5ee9477969912c91e966fa972b03f04575e7aac24d782b42b26e034c9d4e089166e58b0a8720305b24ce753338e94e1f3d2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltiC36F.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/3948-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3948-8-0x0000000002230000-0x00000000022A3000-memory.dmp

Filesize
460KB

Download
memory/3948-6-0x0000000002230000-0x00000000022A3000-memory.dmp

Filesize
460KB

Download
memory/3948-16-0x0000000002230000-0x00000000022A3000-memory.dmp

Filesize
460KB

Download
memory/3948-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads