8fdb475f6a060ec97965085dcd86b48cdd7206d410ac5f627966c7bbd9bec81d

Analysis

max time kernel
96s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
Size

13KB
MD5

62ef177fa8d1dcdc462bfa0e940a298c
SHA1

5ad40d1a09533c77d32999d19fa3b1b0a2270129
SHA256

8fdb475f6a060ec97965085dcd86b48cdd7206d410ac5f627966c7bbd9bec81d
SHA512

acdaf5e28302ce30262732dfea283758249460cad9014c2b0f57028b255d6b3d8f0733d924536f123ce5395931d57f10bb87106f18fc64fa72eadbc565f49105
SSDEEP

384:ZIpffY/aT/MG/BsZHCVF3SWdT+NxhWmjhL2NW:ZIpf8a7JBgHCVBSWdukmjqW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll = "{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}"	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adsntzt.tmp	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ = "C:\\Windows\\SysWow64\\adsntzt.dll"	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ThreadingModel = "Apartment"	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4784	2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe	94
PID 2836 wrote to memory of 4784	2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe	94
PID 2836 wrote to memory of 4784	2836	62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1DC4.tmp.bat
  2⤵
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1DC4.tmp.bat

Filesize
207B

MD5
7ab6c1b0ca620cbe0432262442adcbe4

SHA1
ddd52fc3a9718d2fb6e1f7413f56decec56a1685

SHA256
2ca84603989d47144ddd8a83e5c2aaf31b36eb7c2d0c10c34d9d7a45a81e5ac4

SHA512
07c29a838b3f09e4b0692675fe7d5e7e8edd00a614e9b452d28b9402b4018cbddd72b8fad42bec57bca9be52c5238add250ad70822d60d61ba4b019f1f585e8c

Download Submit
C:\Windows\SysWOW64\adsntzt.tmp

Filesize
582KB

MD5
db02ec647021b39de3dac907f5747743

SHA1
f888cf3980cd290f0df706269882521993d86aba

SHA256
7a9b36461131b0852d5d218da220ca465d9c1b37fba59fbd229746f6c53ce212

SHA512
1b2d11a0e2e398918196e6f2a14e2c9b4b4d582e29b2d3a03285d243f2d5cac87c17105bd2ca5aabc58bca81b501f3fb6fbfff324fff3e83fba9baf310c89143

Download Submit
memory/2836-13-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2836-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download