97c973dd448ba938539f9e0263b7108f13ca9f8734fff7c308a291f759b691f8

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
Size

48KB
MD5

608e4ce5e00445773fdee643da42718e
SHA1

d809931dc7d6c6f04a01ae10d38ee0ee86be53d1
SHA256

97c973dd448ba938539f9e0263b7108f13ca9f8734fff7c308a291f759b691f8
SHA512

80a9c153d96dbca1c55ca3870cccca5c54d15a77c0a96f487e780c9127c08000b9e47c00bf40164aa8fd7825eb82101f463199511435db4cf484de2ed27559de
SSDEEP

768:ascdOsLQ3H2+qgd4OYkKohyhlatrxuKTlkA8UuALt7aCbGX5/hcK65EfOpZ:1mQtCkKvXatrspPk1hKI15ZpZ

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
35	4212	rundll32.exe
37	4212	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
4212	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\awtrQJBS.dll,#1"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nnnnKeeD.dll	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nnnnKeeD.dll	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\awtrQJBS.dll	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\awtrQJBS.dll	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vtUmNGaa.dll	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42}\InprocServer32\ = "C:\\Windows\\SysWow64\\awtrQJBS.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 612	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe	5
PID 1732 wrote to memory of 4212	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe	95
PID 1732 wrote to memory of 4212	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe	95
PID 1732 wrote to memory of 4212	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe	95
PID 1732 wrote to memory of 5008	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe	96
PID 1732 wrote to memory of 5008	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe	96
PID 1732 wrote to memory of 5008	1732	608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe	96
PID 4212 wrote to memory of 3880	4212	rundll32.exe	98
PID 4212 wrote to memory of 3880	4212	rundll32.exe	98
PID 4212 wrote to memory of 3880	4212	rundll32.exe	98

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\awtrQJBS.dll,a
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\vtUmNGaa.dll",s
    3⤵
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe"
  2⤵
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\removalfile.bat

Filesize
43B

MD5
9a7ef09167a6f4433681b94351509043

SHA1
259b1375ed8e84943ca1d42646bb416325c89e12

SHA256
d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

SHA512
96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

Download Submit
C:\Windows\SysWOW64\nnnnKeeD.dll

Filesize
34KB

MD5
c03da72257e3c41d39056605b01dbd61

SHA1
27dda6a3222759167f48e84c5b3c6686992df60b

SHA256
08c3e4516fd54b2dc9c1c98509e003e8e238c89a363719cab657381511d4ce65

SHA512
80e2061f3b13133b72d2909c687692505b0242802e95fbc7d21f1b5fb460610436cb53ec7e1d48cde31eb7407405bf99a5790de7c8acc9883287919ce7f8663c

Download Submit
C:\Windows\SysWOW64\vtUmNGaa.dll

Filesize
1KB

MD5
3c7214f692a36eac104629adbd630401

SHA1
bc01b5bccd69d002b71be2682e186a8bbc5e1190

SHA256
667714fe60873062ebba2348af1aab499de16330306c1cc2d2b8d3e223b2db25

SHA512
04b5decd3e7fd7e85f44543e02f4057777fb7e58236007267748e9d111c2df2d4d88f85eca3374c84e363c266d20bc22428614b6bb443c2bd48f12f5ff38be2d

Download Submit
memory/1732-15-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1732-8-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1732-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1732-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1732-16-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/1732-2-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1732-1-0x00000000006B0000-0x00000000006B6000-memory.dmp

Filesize
24KB

Download
memory/4212-24-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4212-26-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4212-25-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

Filesize
24KB

Download
memory/4212-33-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download