Analysis

  • max time kernel
    96s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 10:48

General

  • Target

    62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe

  • Size

    13KB

  • MD5

    62ef177fa8d1dcdc462bfa0e940a298c

  • SHA1

    5ad40d1a09533c77d32999d19fa3b1b0a2270129

  • SHA256

    8fdb475f6a060ec97965085dcd86b48cdd7206d410ac5f627966c7bbd9bec81d

  • SHA512

    acdaf5e28302ce30262732dfea283758249460cad9014c2b0f57028b255d6b3d8f0733d924536f123ce5395931d57f10bb87106f18fc64fa72eadbc565f49105

  • SSDEEP

    384:ZIpffY/aT/MG/BsZHCVF3SWdT+NxhWmjhL2NW:ZIpf8a7JBgHCVBSWdukmjqW

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\62ef177fa8d1dcdc462bfa0e940a298c_JaffaCakes118.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1DC4.tmp.bat
      2⤵
        PID:4784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1DC4.tmp.bat

      Filesize

      207B

      MD5

      7ab6c1b0ca620cbe0432262442adcbe4

      SHA1

      ddd52fc3a9718d2fb6e1f7413f56decec56a1685

      SHA256

      2ca84603989d47144ddd8a83e5c2aaf31b36eb7c2d0c10c34d9d7a45a81e5ac4

      SHA512

      07c29a838b3f09e4b0692675fe7d5e7e8edd00a614e9b452d28b9402b4018cbddd72b8fad42bec57bca9be52c5238add250ad70822d60d61ba4b019f1f585e8c

    • C:\Windows\SysWOW64\adsntzt.tmp

      Filesize

      582KB

      MD5

      db02ec647021b39de3dac907f5747743

      SHA1

      f888cf3980cd290f0df706269882521993d86aba

      SHA256

      7a9b36461131b0852d5d218da220ca465d9c1b37fba59fbd229746f6c53ce212

      SHA512

      1b2d11a0e2e398918196e6f2a14e2c9b4b4d582e29b2d3a03285d243f2d5cac87c17105bd2ca5aabc58bca81b501f3fb6fbfff324fff3e83fba9baf310c89143

    • memory/2836-13-0x0000000020000000-0x0000000020008000-memory.dmp

      Filesize

      32KB

    • memory/2836-17-0x0000000020000000-0x0000000020008000-memory.dmp

      Filesize

      32KB