0eab7a417611121c7d2ba7e3300f023938e51ec9203c965f38abe17272dfc29a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe
Size

117KB
MD5

5c5ad2a5bf127dd070d26ffbddd8f99c
SHA1

0f5f3c87e84057723c559577333af11d1adc315f
SHA256

0eab7a417611121c7d2ba7e3300f023938e51ec9203c965f38abe17272dfc29a
SHA512

8a535502006fd5a1bacd3efcfeb8b41f8365da3e0b65fc254aa5172a4131d4c471c9322e04e6a1ee2c0617fdaf485c440459acbbe32a9c41be307d7eff9d1062
SSDEEP

768:8O8q/GDMdvqjNuVU1vcq9ahnLKCEUgkVG8X4zEGDAFGKj+:j8q/Ge2yUZc5htMn8X4IG8Y

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\2D9D7A1C\ImagePath = "C:\\Windows\\system32\\BDFDFA46.EXE -d"	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4164	BDFDFA46.EXE

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\BDFDFA46.EXE	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	BDFDFA46.EXE
File created	C:\Windows\SysWOW64\BDFDFA46.EXE	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	BDFDFA46.EXE
File created	C:\Windows\SysWOW64\BDFDFA46.EXE	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	BDFDFA46.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db	BDFDFA46.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	BDFDFA46.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "5"	BDFDFA46.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	BDFDFA46.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	BDFDFA46.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 4410000023da26e0e8d9da01	BDFDFA46.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	BDFDFA46.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00570069006e0064006f00770073005c00530079007300740065006d003300320000000000	BDFDFA46.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = fa060179e949dccdd07c1cde3e445a3c35f4a7b3a737b2e316e30ad068a5ebdd	BDFDFA46.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	BDFDFA46.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	BDFDFA46.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	BDFDFA46.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 40732304e8ef4553d41bf1089c7572999eedfb16cbedba1b4005951b0d0acb27	BDFDFA46.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	BDFDFA46.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
744	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe
744	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe
4164	BDFDFA46.EXE
4164	BDFDFA46.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	744	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
744	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe
4164	BDFDFA46.EXE
4164	BDFDFA46.EXE
4164	BDFDFA46.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4540	744	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe	101
PID 744 wrote to memory of 4540	744	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe	101
PID 744 wrote to memory of 4540	744	5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c5ad2a5bf127dd070d26ffbddd8f99c_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5C5AD2~1.EXE > nul
  2⤵
  PID:4540

C:\Windows\SysWOW64\BDFDFA46.EXE
C:\Windows\SysWOW64\BDFDFA46.EXE -d
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BDFDFA46.EXE

Filesize
117KB

MD5
5c5ad2a5bf127dd070d26ffbddd8f99c

SHA1
0f5f3c87e84057723c559577333af11d1adc315f

SHA256
0eab7a417611121c7d2ba7e3300f023938e51ec9203c965f38abe17272dfc29a

SHA512
8a535502006fd5a1bacd3efcfeb8b41f8365da3e0b65fc254aa5172a4131d4c471c9322e04e6a1ee2c0617fdaf485c440459acbbe32a9c41be307d7eff9d1062

Download Submit