4d2c1a8b392f7e955854c467030089da5127d04ecb759fadc22f025af0442627

Analysis

max time kernel
140s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65e86eb593cd24f71e33a625edd43537_JaffaCakes118.exe
Size

156KB
MD5

65e86eb593cd24f71e33a625edd43537
SHA1

03374072405bedc4e8d92523b5b24dc341dd9ff3
SHA256

4d2c1a8b392f7e955854c467030089da5127d04ecb759fadc22f025af0442627
SHA512

9ba1b9cf364d3834f5e31a470df91920c87fc43e83f59b552378aa2a7d0541c54a6004c6b64a823f484a1f61b763b32b85e34a9ffbe446d71f147a1d1a26d95e
SSDEEP

3072:JGu9BlfzWIbXWm+w0Js5iWR4GTShhUYld/TAxu8FlCYQL0uz05SEX:J/0uog4GTMon+Y40uQV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3860	5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65e86eb593cd24f71e33a625edd43537_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 3860	2580	65e86eb593cd24f71e33a625edd43537_JaffaCakes118.exe	85
PID 2580 wrote to memory of 3860	2580	65e86eb593cd24f71e33a625edd43537_JaffaCakes118.exe	85
PID 2580 wrote to memory of 3860	2580	65e86eb593cd24f71e33a625edd43537_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\65e86eb593cd24f71e33a625edd43537_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65e86eb593cd24f71e33a625edd43537_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
140KB

MD5
7bac79ae65e02d0a2e850b0df1786a3f

SHA1
591283469214d121ea1d371287ad00ce8e04d584

SHA256
3b465c3efe4c8d390ecdec06543cc07be2c64deb833daeaf834a71e7ceb33699

SHA512
df0f3228b35e83b4a168cc8662cc5bae75402f8d3d3e3c9284c5b78d0d2216a2eae947a2048f50a3f074467bde29e34d9eed06b3f895715027762bb7b2d06f8e

Download Submit
memory/3860-5-0x00000000021C0000-0x00000000021FC000-memory.dmp

Filesize
240KB

Download
memory/3860-6-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/3860-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads