2f319c522bce7d3a7853bfb9c88574924ae15a0f68d58feac19d9bb9033b0ce1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Size

14KB
MD5

63f432aec9772a884160d896882cbe0a
SHA1

22b37f7ee38f08666195e5851de117643d582fba
SHA256

2f319c522bce7d3a7853bfb9c88574924ae15a0f68d58feac19d9bb9033b0ce1
SHA512

025cc07d8f89b2c97c183845f331d36fc5d2ea8cc6680398281ceccb9e0aa31ef0909aebcfb63f6f6e5dbb5ad148926a295eb45d8cd6c0cd56173b460be89ce0
SSDEEP

384:1o+PRpVf1vpCtuMihEM2P5Nt6tA6gbvqQj85A:15PRpV9YMMmEM2P5Nt6sRj8a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xolehlpjh.dll = "{F0930A2F-D971-4828-8209-B7DFD266ED44}"	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xolehlpjh.tmp	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xolehlpjh.tmp	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xolehlpjh.nls	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ = "C:\\Windows\\SysWow64\\xolehlpjh.dll"	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ThreadingModel = "Apartment"	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2588	2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe	95
PID 2520 wrote to memory of 2588	2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe	95
PID 2520 wrote to memory of 2588	2520	63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63f432aec9772a884160d896882cbe0a_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4726.tmp.bat
  2⤵
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4726.tmp.bat

Filesize
207B

MD5
45177e0ca17880a867923bf0cb2618a6

SHA1
ace717390e33eb32bb2fec824ddd9d14485d7bca

SHA256
446b2ec13b541c29c58b3b9fe6d8640a5bf3f900f0bd3e124f90a533dde1f98f

SHA512
4e847b44eacac06387e951453f8a0487d259d6427ee87ba58f22addcc376f59210ff6eacd5ab979ba901f47501ef230281bbbbeff096a9de9a448dfaffca0f7c

Download Submit
C:\Windows\SysWOW64\xolehlpjh.tmp

Filesize
2.2MB

MD5
9061c61fea0270494ce779ad5fcaeea7

SHA1
cf5d52c91a7f469d86b86a4cfb804b4e314af8e3

SHA256
ad1912429fd71f03f8b5c33540a3669f7a983afdd2eea96ec20441ae231e7259

SHA512
81ffcbf781b6231e24a286d359afa6ae87ea6ce62298ec9742e2245b3d7bf0d585eafed49220dd99ae201415b4ce0f8870b0ce44e20803fbada24c29f4d8f780

Download Submit
memory/2520-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2520-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download