720bfd14979d7d40bcd30dcf849140da184df80d37b94cd9e4687528dd3308dd

Analysis

max time kernel
146s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Size

120KB
MD5

5d51a85f2e288d315df140618cdec59c
SHA1

968fd07becd7622afd9043c7438d6eb077f78755
SHA256

720bfd14979d7d40bcd30dcf849140da184df80d37b94cd9e4687528dd3308dd
SHA512

59f15e39b8c6ab41c34866b2928a1179e264d1a08b68112eaf3f39fcb9b2bd97d52450e5d928a4950793df811018f5eb46c58f2078c4fcfc74a413ca6d94d6b2
SSDEEP

1536:KU1qYQdy3yw4y1zCfk6z3PDxLKk4CXNtmO+OYXz+h7SAhZnozW/QpOEPl:KW53546CfDz/VdNtmH6D8G9Kl

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VGA Service = "C:\\Windows\\msagent\\mswhmn.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VGA Service = "C:\\Windows\\msagent\\mswhmn.com"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AA0332-EADD-22EF-BA32-20AA12E6115C}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44AA0332-EADD-22EF-BA32-20AA12E6115C}\StubPath = "C:\\Windows\\system32\\msjtlv.com"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
112	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msjtlv.com	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msjtlv.com	svchost.exe
File created	C:\Windows\SysWOW64\msjtlv.com	svchost.exe
File created	C:\Windows\SysWOW64\jtlv.slf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\jtlv.slf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\msjtlv.com	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
File opened for modification	C:\Windows\msagent\mswhmn.com	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
File created	C:\Windows\msagent\mswhmn.com	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\msagent\mswhmn.com	svchost.exe
File created	C:\Windows\msagent\mswhmn.com	svchost.exe
File opened for modification	C:\Windows\svchost.exe	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
112	svchost.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeSecurityPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeBackupPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeRestorePrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeShutdownPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeDebugPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeUndockPrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: 33	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: 34	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: 35	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: 36	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	112	svchost.exe
Token: SeSecurityPrivilege	112	svchost.exe
Token: SeTakeOwnershipPrivilege	112	svchost.exe
Token: SeLoadDriverPrivilege	112	svchost.exe
Token: SeSystemProfilePrivilege	112	svchost.exe
Token: SeSystemtimePrivilege	112	svchost.exe
Token: SeProfSingleProcessPrivilege	112	svchost.exe
Token: SeIncBasePriorityPrivilege	112	svchost.exe
Token: SeCreatePagefilePrivilege	112	svchost.exe
Token: SeBackupPrivilege	112	svchost.exe
Token: SeRestorePrivilege	112	svchost.exe
Token: SeShutdownPrivilege	112	svchost.exe
Token: SeDebugPrivilege	112	svchost.exe
Token: SeSystemEnvironmentPrivilege	112	svchost.exe
Token: SeRemoteShutdownPrivilege	112	svchost.exe
Token: SeUndockPrivilege	112	svchost.exe
Token: SeManageVolumePrivilege	112	svchost.exe
Token: 33	112	svchost.exe
Token: 34	112	svchost.exe
Token: 35	112	svchost.exe
Token: 36	112	svchost.exe
Token: 33	112	svchost.exe
Token: SeIncBasePriorityPrivilege	112	svchost.exe
Token: 33	112	svchost.exe
Token: SeIncBasePriorityPrivilege	112	svchost.exe
Token: 33	112	svchost.exe
Token: SeIncBasePriorityPrivilege	112	svchost.exe
Token: 33	112	svchost.exe
Token: SeIncBasePriorityPrivilege	112	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 112	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe	85
PID 4672 wrote to memory of 112	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe	85
PID 4672 wrote to memory of 112	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe	85
PID 4672 wrote to memory of 3032	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe	86
PID 4672 wrote to memory of 3032	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe	86
PID 4672 wrote to memory of 3032	4672	5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d51a85f2e288d315df140618cdec59c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\#3#.bat
  2⤵
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\#3#.bat

Filesize
208B

MD5
a897bea0d7ca08276f8d76f13f9738f1

SHA1
2095ceb44112887fa9d99d89552a744eaebe3173

SHA256
9b97b258e19b1084c9937f6379eb20ab9cf8b0b763d04984bf388cd7c6c3ca94

SHA512
b9b66730c2fe0dd8cbf4bf8e14a3f7f854d786dcc071063773651f507dbd9f4f29b4abb7efbd75de59599b745814fb166400148d2d2473936ef850237ec8a0e5

Download Submit
C:\Windows\SysWOW64\msjtlv.com

Filesize
120KB

MD5
5d51a85f2e288d315df140618cdec59c

SHA1
968fd07becd7622afd9043c7438d6eb077f78755

SHA256
720bfd14979d7d40bcd30dcf849140da184df80d37b94cd9e4687528dd3308dd

SHA512
59f15e39b8c6ab41c34866b2928a1179e264d1a08b68112eaf3f39fcb9b2bd97d52450e5d928a4950793df811018f5eb46c58f2078c4fcfc74a413ca6d94d6b2

Download Submit
memory/112-29-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-30-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-21-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-22-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-23-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-24-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-36-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-20-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-31-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-32-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-33-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-34-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/112-35-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download
memory/4672-14-0x0000000000400000-0x0000000000427E00-memory.dmp

Filesize
159KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads