964e43336fed2aefa381d181f58c962e0690e31406ff35d1d44b6c6a9e0eb774

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
Size

55KB
MD5

642a93206cb3a055012ccc65681e6710
SHA1

31c51d61177c894820d5c332f8dbdac3c6554665
SHA256

964e43336fed2aefa381d181f58c962e0690e31406ff35d1d44b6c6a9e0eb774
SHA512

40f274f355642ea3f876cd89ce9dd2e06d70ded0027dd6e20a0b685e1bd93daac9f5cb1baf719c2affd6d883dc96661e7ff9cdc0fd34652306fbfd9a05e83b2f
SSDEEP

1536:VCqlZmQeDYncJuHcHv6qZHQe3V/H3DVepP1lx:KDDyHcHfH7F/Anlx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2992	m.exe

Loads dropped DLL 2 IoCs

pid	Process
5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\inf\MTQ	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\inf\MTQ	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
File created	C:\WINDOWS\inf\mtq.dll	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\inf\MTQ	m.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\InProcServer32	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\InProcServer32\ = "C:\\WINDOWS\\inf\\mtq.dll"	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\InProcServer32\ThreadingModel = "Apartment"	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 2992	5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe	86
PID 5096 wrote to memory of 2992	5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe	86
PID 5096 wrote to memory of 2992	5096	642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe	86
PID 2992 wrote to memory of 3180	2992	m.exe	87
PID 2992 wrote to memory of 3180	2992	m.exe	87
PID 2992 wrote to memory of 3180	2992	m.exe	87

C:\Users\Admin\AppData\Local\Temp\642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096
- \??\c:\m.exe
  c:\m.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c delself.bat
    3⤵
    PID:3180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
19B

MD5
87bcc25b51b58c7a63f10143b156034c

SHA1
f841d51f9bb39db8b8fd4b17e328b3a8066b36d9

SHA256
4d4334f4dde0c7d83bdcb475f1a947d3147e34d8bcdf609ef066b8d2056d07d1

SHA512
b78d5597ad6575d3b0124b0d81f31446b2a0cdd3136d1b13d92390fcadd08029a471f0c38258900a5a38389b0f64102b3f48f622b994ac11a6d09e48beb072e4

Download Submit
C:\Windows\INF\mtq.dll

Filesize
33KB

MD5
f0d92ab4d65f94b9b1338c585567fe27

SHA1
9e027f8c281b5d900a0b814b419413bec2efbde7

SHA256
25043c98a8d88edf4be5565e814c23e29236b7d48d45e9cda1dc1768fd5e070a

SHA512
34b1f53fcdad320ba0d62a3923fe864167d961d636fcb8d192ce0abeb53b5f50015a7a34bf68287816c63cd0dc5a5e346744d325862b98da45651cb8240f7ee7

Download Submit
C:\m.exe

Filesize
55KB

MD5
642a93206cb3a055012ccc65681e6710

SHA1
31c51d61177c894820d5c332f8dbdac3c6554665

SHA256
964e43336fed2aefa381d181f58c962e0690e31406ff35d1d44b6c6a9e0eb774

SHA512
40f274f355642ea3f876cd89ce9dd2e06d70ded0027dd6e20a0b685e1bd93daac9f5cb1baf719c2affd6d883dc96661e7ff9cdc0fd34652306fbfd9a05e83b2f

Download Submit
memory/2992-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5096-5-0x0000000002130000-0x000000000213E000-memory.dmp

Filesize
56KB

Download
memory/5096-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5096-21-0x0000000002130000-0x000000000213E000-memory.dmp

Filesize
56KB

Download
memory/5096-43-0x0000000002130000-0x000000000213E000-memory.dmp

Filesize
56KB

Download