42f2a745d0302af4b253dc9a606a0b860252f081c80465e422ee4903d5f74979

Analysis

max time kernel
143s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 20:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d7de4f8e4446e4a14deec911b737a4a_JaffaCakes118.exe
Size

713KB
MD5

5d7de4f8e4446e4a14deec911b737a4a
SHA1

f138fac0c2edb03306e42604ebe27271207d715d
SHA256

42f2a745d0302af4b253dc9a606a0b860252f081c80465e422ee4903d5f74979
SHA512

996b84cbe6d04507e4fd78cd336b55937760192c153d42db66f66241243c06ae90dc7cff28c2c9d9c066dfa4fd95441aae4fd4b7199a5ad0fdfb5aef6f08d04d
SSDEEP

12288://j17JA1mQEOU1k/BtwNfO1aVF3uTJiPNSkF3Z4mxxyoJwUp4YAMnf/USQ:njPA1mQ+kZtwNfmACJONhQmXyouU+3z

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1440	3.exe
2132	kav.exe

Loads dropped DLL 4 IoCs

pid	Process
2132	kav.exe
2132	kav.exe
2132	kav.exe
2132	kav.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5d7de4f8e4446e4a14deec911b737a4a_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	3.exe
File created	C:\Windows\QZJUVM.DAT	3.exe
File created	C:\Windows\OEWJNN.DAT	3.exe
File created	C:\Windows\kav.exe	3.exe
File opened for modification	C:\Windows\kav.exe	3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	3.exe
Token: SeDebugPrivilege	2132	kav.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2132	kav.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2132	kav.exe
2132	kav.exe
2132	kav.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1440	4960	5d7de4f8e4446e4a14deec911b737a4a_JaffaCakes118.exe	84
PID 4960 wrote to memory of 1440	4960	5d7de4f8e4446e4a14deec911b737a4a_JaffaCakes118.exe	84
PID 4960 wrote to memory of 1440	4960	5d7de4f8e4446e4a14deec911b737a4a_JaffaCakes118.exe	84
PID 1440 wrote to memory of 1500	1440	3.exe	89
PID 1440 wrote to memory of 1500	1440	3.exe	89
PID 1440 wrote to memory of 1500	1440	3.exe	89
PID 2132 wrote to memory of 1712	2132	kav.exe	90
PID 2132 wrote to memory of 1712	2132	kav.exe	90

C:\Users\Admin\AppData\Local\Temp\5d7de4f8e4446e4a14deec911b737a4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d7de4f8e4446e4a14deec911b737a4a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:1500

C:\Windows\kav.exe
C:\Windows\kav.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
893KB

MD5
ac8241183e7d8be176eee662ff976760

SHA1
029b5c8ae8b5ff0ae0c2056bc47093f2024c70d5

SHA256
ea56def157f9198335d3b0959fcf3c87e192ecb04b1b9a3f84f981df495b024d

SHA512
65521681907e532049e161e441aadb0758919d36c9cdc391d67013b5859638ceb68a63322b64fcbf5299ba02deef0208c8ab9411b724b89f1a23298ed198fc6a

Download Submit
C:\Windows\OEWJNN.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\QZJUVM.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
67e4ea2c3e65d3236c8266b9c116f67f

SHA1
7e87f925ccd68b2b7c9af9f92e118db1990234f9

SHA256
2dff6c390d03870cec06d16fe0191475fb87ad2330b78d03c15e7ff0bed8f00c

SHA512
1a3cf0443e932b9b57f32531b3d61c917b9eec19a4ba73336011041e16a0022c5e62b2c768b34a0bdc08ffd75bbaa0338719577001496c9de8a5638420b0a229

Download Submit
memory/1440-73-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2132-80-0x0000000001700000-0x0000000001712000-memory.dmp

Filesize
72KB

Download
memory/2132-86-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2132-87-0x0000000001700000-0x0000000001712000-memory.dmp

Filesize
72KB

Download
memory/2132-88-0x0000000001820000-0x0000000001833000-memory.dmp

Filesize
76KB

Download
memory/2132-84-0x0000000001820000-0x0000000001833000-memory.dmp

Filesize
76KB

Download
memory/4960-30-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4960-25-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4960-40-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-47-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-59-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-58-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-57-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-56-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-55-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-54-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-53-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-52-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-51-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-50-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-49-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-48-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-46-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-39-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-38-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4960-37-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4960-36-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4960-35-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/4960-34-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4960-33-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-32-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4960-31-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4960-42-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-29-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4960-28-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4960-27-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4960-26-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4960-41-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-24-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4960-23-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-22-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-21-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-20-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-19-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-18-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-17-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-16-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-15-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-14-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4960-13-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-12-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-11-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-10-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-9-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-8-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4960-7-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4960-43-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-44-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4960-6-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4960-5-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4960-4-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4960-3-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4960-2-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4960-77-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/4960-76-0x0000000001000000-0x000000000111C000-memory.dmp

Filesize
1.1MB

Download
memory/4960-45-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4960-1-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/4960-0-0x0000000001000000-0x000000000111C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads