e6c3370a121b74be33af5c7daf69750fd1eef77f9a668fcb18639e3da808d67c

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe
Size

382KB
MD5

5b532b0a545e3cbee73ac9d12192dbd6
SHA1

020d19ae4625d9f8536a3e9105c4790ab54dfe64
SHA256

e6c3370a121b74be33af5c7daf69750fd1eef77f9a668fcb18639e3da808d67c
SHA512

7adc7b575fc4bae37bd8d58aa8f8f765adea7dec502d4c2a93b9171b5ae6ee5b2acfee121e4c5d48148559ec23673e12c82da1a39c57cbcb24b8301f9c83d51d
SSDEEP

6144:2WaEC2hxAMAhymq6BE8PCaN633aHHc5UykfEOOy+ZXf7UTmmjf/b8NPTZ/5J83:djhKJhDBE263d1kfIZvyjr0ZD83

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4460	Setup.exe
540	yxxsj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\yxxsj.exe	Setup.exe
File created	C:\Windows\uninstal.bat	Setup.exe
File created	C:\Windows\yxxsj.exe	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	Setup.exe
Token: SeDebugPrivilege	540	yxxsj.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
540	yxxsj.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4460	3028	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	84
PID 3028 wrote to memory of 4460	3028	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	84
PID 3028 wrote to memory of 4460	3028	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	84
PID 540 wrote to memory of 3512	540	yxxsj.exe	89
PID 540 wrote to memory of 3512	540	yxxsj.exe	89
PID 4460 wrote to memory of 3244	4460	Setup.exe	92
PID 4460 wrote to memory of 3244	4460	Setup.exe	92
PID 4460 wrote to memory of 3244	4460	Setup.exe	92

C:\Users\Admin\AppData\Local\Temp\5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3244

C:\Windows\yxxsj.exe
C:\Windows\yxxsj.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe

Filesize
743KB

MD5
6d426a0b603dfd68be553d6d8b9faa26

SHA1
6a21b635ead0bd4e83f27e8f20c8eeb64b50966c

SHA256
3292745838d07161d7efc23e7139e065eb18ff626d0361dc7a0e54957ff13507

SHA512
306634affc21d9270f5c7a803799b658bb114a6e3ac2c4beef6e65cf1771c4e8a4bd13f056ffe92b690b477c15be71453597dbf742e85c9abd8c0327316897c6

Download Submit
C:\Windows\uninstal.bat

Filesize
158B

MD5
5c7ac7be691db8bc6ab3d17f804859d0

SHA1
fa1af53cd2c7a7ccbecf3dfa728ddac591ac73a0

SHA256
c078e1033ad4d87f6f7399c028410e2785528064086a7147ee067ffce113fcb1

SHA512
2e10ee35e3574bacabcdf43f9d50d42ec91eacbb23ab3f39ecd28358eee550ef157ea15fa4e73449a28b2002043030da13239aee325b94ff0d0b4ca42af42f8c

Download Submit
memory/540-11-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/540-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/540-19-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000001000000-0x00000000010C1400-memory.dmp

Filesize
773KB

Download
memory/3028-15-0x0000000001000000-0x00000000010C1400-memory.dmp

Filesize
773KB

Download
memory/4460-6-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4460-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads