3653dab7ffff542a1d5e17c1eb5e7b706b691289f45f1fc4db48c5c6d6ae4095

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe
Size

33KB
MD5

5b1e1534c828d398b0ae91820913911f
SHA1

77b9e6c9bed65e5611756cddb92eaad41b1ba110
SHA256

3653dab7ffff542a1d5e17c1eb5e7b706b691289f45f1fc4db48c5c6d6ae4095
SHA512

c4051ee32ff5c076259788bab0cf582e9492e5e8f5850ceb3a301c548dd9d9bca1b63e42116e39bbeed1010445bd218124928a9f33c9a2eb6e7d7a9aa0960a0c
SSDEEP

768:y2d8jt9SE99aHTPkPWP4a7pU1gWKd7Pqqqq+QQ9SxUEt3O:7stkZzrQepU9KlxUj

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\44939 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msweju.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
392	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\msweju.exe	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3832	5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe
3832	5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3832	5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 392	3832	5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe	84
PID 3832 wrote to memory of 392	3832	5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe	84
PID 3832 wrote to memory of 392	3832	5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b1e1534c828d398b0ae91820913911f_JaffaCakes118.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Deletes itself
  - Drops file in Program Files directory
  PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-4-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/392-7-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/392-10-0x00000000013C0000-0x00000000013C5000-memory.dmp

Filesize
20KB

Download
memory/3832-0-0x00000000006E0000-0x00000000006E5000-memory.dmp

Filesize
20KB

Download
memory/3832-2-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/3832-1-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3832-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3832-8-0x00000000006E0000-0x00000000006E5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads