1b669bffcdedfa243e2f9479de0f6301d2ebf7eed3ebdc4596f07dc61408c403

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe
Size

223KB
MD5

5e60853c7f0b86162d662da5046608c8
SHA1

9d632b511936460ea4f6e8248dd278b518e2be39
SHA256

1b669bffcdedfa243e2f9479de0f6301d2ebf7eed3ebdc4596f07dc61408c403
SHA512

22f2a117e49496a5321aec544f8ad70b2fee0a51b9372ee26fab47669fdf99a7ed4132f79045c9b9a80a9a9162d8de33cd0ebef9bb5d349717aae75108b8e648
SSDEEP

6144:zyr9fvejj2mGQsiXfDE4qvZNXpAE4rkNtxBaUw+5rt:C6HfsD4mNLbNtx5j5J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5080	Vbuxaa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Vbuxaa.exe	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe
File opened for modification	C:\Windows\Vbuxaa.exe	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Vbuxaa.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Vbuxaa.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Vbuxaa.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	Vbuxaa.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\International	Vbuxaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe
5080	Vbuxaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 5080	4800	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe	87
PID 4800 wrote to memory of 5080	4800	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe	87
PID 4800 wrote to memory of 5080	4800	5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e60853c7f0b86162d662da5046608c8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\Vbuxaa.exe
  C:\Windows\Vbuxaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
390B

MD5
99898579234b93a8665254e34668f5bd

SHA1
9045208586456762f71e82229212eed032d91029

SHA256
e5cb9677f96c43d51956e8f913dd06e06aa7dfd2f3a382d1fb653c8d058a3193

SHA512
b4eff9fb161106c0e1ff518465737505f5fe76a204b14a18bb936e8eda67cf8ffd36fad5aeb8c8d18e7678590ecb26f2b435ee9a624398afeb846d8c260eb4c6

Download Submit
C:\Windows\Vbuxaa.exe

Filesize
223KB

MD5
5e60853c7f0b86162d662da5046608c8

SHA1
9d632b511936460ea4f6e8248dd278b518e2be39

SHA256
1b669bffcdedfa243e2f9479de0f6301d2ebf7eed3ebdc4596f07dc61408c403

SHA512
22f2a117e49496a5321aec544f8ad70b2fee0a51b9372ee26fab47669fdf99a7ed4132f79045c9b9a80a9a9162d8de33cd0ebef9bb5d349717aae75108b8e648

Download Submit
memory/4800-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/4800-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-71197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-161893-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-161896-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-161897-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-161899-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-161903-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download