29774d13d0e0d74f767ea8b2b70fab35d686d1c6359d0b30dd2dcfb62dfcdc3d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
Size

171KB
MD5

5a8649a2f98137f777ff71a0252e19bb
SHA1

f4fec2fafb7b16b8df746361fc6cf6bb4fd56fb4
SHA256

29774d13d0e0d74f767ea8b2b70fab35d686d1c6359d0b30dd2dcfb62dfcdc3d
SHA512

b9617f55e032b12524854a1b6e9ed00f5841f307838da6c3bcd707751e484315965ab892c07e7c01e51461ef53f5d42221feeac97ea9379bd281891ef19df56e
SSDEEP

3072:On3ObbQgBhw8ZHSfYEeqEVo10n69/LUKfVlwOieJHh7M4rh3q4vDxrLmkG80ZNSB:On3OvZ5yz1e69DUK/NTJB7M413qSD5Jv

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3924	9DDB3459A45.exe
1812	FduCEE9.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/32-3-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/32-12-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3924-16-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3924-20-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9XXV3E5J4EYC3FZUZ = "C:\\winlog\\9DDB3459A45.exe /q"	FduCEE9.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\PhishingFilter	FduCEE9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	FduCEE9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	FduCEE9.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Recovery	FduCEE9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	FduCEE9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
3924	9DDB3459A45.exe
3924	9DDB3459A45.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe
1812	FduCEE9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
Token: SeDebugPrivilege	32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
Token: SeDebugPrivilege	32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
Token: SeDebugPrivilege	32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
Token: SeDebugPrivilege	3924	9DDB3459A45.exe
Token: SeDebugPrivilege	3924	9DDB3459A45.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe
Token: SeDebugPrivilege	1812	FduCEE9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 3924	32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe	87
PID 32 wrote to memory of 3924	32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe	87
PID 32 wrote to memory of 3924	32	5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe	87
PID 3924 wrote to memory of 1812	3924	9DDB3459A45.exe	88
PID 3924 wrote to memory of 1812	3924	9DDB3459A45.exe	88
PID 3924 wrote to memory of 1812	3924	9DDB3459A45.exe	88
PID 3924 wrote to memory of 1812	3924	9DDB3459A45.exe	88
PID 3924 wrote to memory of 1812	3924	9DDB3459A45.exe	88
PID 1812 wrote to memory of 32	1812	FduCEE9.exe	83
PID 1812 wrote to memory of 32	1812	FduCEE9.exe	83
PID 1812 wrote to memory of 32	1812	FduCEE9.exe	83
PID 1812 wrote to memory of 32	1812	FduCEE9.exe	83

C:\Users\Admin\AppData\Local\Temp\5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a8649a2f98137f777ff71a0252e19bb_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32
- C:\winlog\9DDB3459A45.exe
  "C:\winlog\9DDB3459A45.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\FduCEE9.exe
    "C:\Users\Admin\AppData\Local\Temp\FduCEE9.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FduCEE9.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
C:\winlog\9DDB3459A45.exe

Filesize
171KB

MD5
5a8649a2f98137f777ff71a0252e19bb

SHA1
f4fec2fafb7b16b8df746361fc6cf6bb4fd56fb4

SHA256
29774d13d0e0d74f767ea8b2b70fab35d686d1c6359d0b30dd2dcfb62dfcdc3d

SHA512
b9617f55e032b12524854a1b6e9ed00f5841f307838da6c3bcd707751e484315965ab892c07e7c01e51461ef53f5d42221feeac97ea9379bd281891ef19df56e

Download Submit
C:\winlog\BF5CD0C61D89545

Filesize
6KB

MD5
01a22ae83fcf1dba148db9b8ed07a977

SHA1
07dd5d7730dad0b35370c3319f4ab3eaa662dd9e

SHA256
02e9a5efa5bd7488976106ded414fe846edeb4afc3c5228e55cd90e96bfe6509

SHA512
31238992d0775090990dd098d91c9a3f68befa584a782e1af2d6fa5dde66c8398560feafb41aa5ba782d2285e7126e454b82b0d10d64bfa033d446d72cd825d7

Download Submit
memory/32-80-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-67-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/32-81-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-3-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/32-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/32-77-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-72-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-73-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-75-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-76-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-78-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-2-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/32-79-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-0-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/32-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/32-82-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-4-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/32-83-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-65-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/32-84-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-85-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-86-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-87-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-88-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-89-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-90-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-74-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-71-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/32-70-0x00000000770A2000-0x00000000770A4000-memory.dmp

Filesize
8KB

Download
memory/32-68-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/32-1-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1812-35-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/1812-56-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-49-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-48-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-47-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-45-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-44-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-43-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-46-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-40-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-39-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-42-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-33-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/1812-51-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-31-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/1812-29-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/1812-30-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/1812-26-0x0000000001001000-0x0000000001002000-memory.dmp

Filesize
4KB

Download
memory/1812-52-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-54-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-55-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-50-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-57-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-58-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-59-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-60-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-61-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-62-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-64-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-66-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-53-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-41-0x000000000BAD0000-0x000000000BB16000-memory.dmp

Filesize
280KB

Download
memory/1812-36-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/1812-34-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/1812-27-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/1812-22-0x00000000024B0000-0x00000000024F6000-memory.dmp

Filesize
280KB

Download
memory/3924-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3924-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3924-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3924-13-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3924-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download