7c81dccae6c096816d41e0ca0be1234d5742372a78d2a8da8a38a50fb65e4213

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Size

86KB
MD5

8ab1a4db3f7b0ff75f239ee56d8e6774
SHA1

1d711badffa5c508a2d37380643c91dabdc75be7
SHA256

7c81dccae6c096816d41e0ca0be1234d5742372a78d2a8da8a38a50fb65e4213
SHA512

7f6d77aee3514587d31325228ae220917c61eddba8202d5ce77fcbc29ea83116260cfbfd175f75a813caf95597a443ba9358d9d69205a3f68f1edfdc84b50c6a
SSDEEP

1536:houpWZs7TcALe5Eaul2eaNbEAHI7fLw50MzpczDpmUvIoFCF1gBx79oK8ccBwzT:hBMmgEaudQb1HZ50MiBdgjoLKdY

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Notification Packages = 610035002e006f0063007800000073006300650063006c00690000000000	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\a5.ocx	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a5.ocx	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 3008	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	50
PID 3120 wrote to memory of 3008	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	50
PID 3120 wrote to memory of 3024	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	51
PID 3120 wrote to memory of 3024	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	51
PID 3120 wrote to memory of 1124	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	53
PID 3120 wrote to memory of 1124	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	53
PID 3120 wrote to memory of 3448	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	56
PID 3120 wrote to memory of 3448	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	56
PID 3120 wrote to memory of 3596	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	57
PID 3120 wrote to memory of 3596	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	57
PID 3120 wrote to memory of 3788	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	58
PID 3120 wrote to memory of 3788	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	58
PID 3120 wrote to memory of 3944	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	59
PID 3120 wrote to memory of 3944	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	59
PID 3120 wrote to memory of 4004	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	60
PID 3120 wrote to memory of 4004	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	60
PID 3120 wrote to memory of 4092	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	61
PID 3120 wrote to memory of 4092	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	61
PID 3120 wrote to memory of 4128	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	62
PID 3120 wrote to memory of 4128	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	62
PID 3120 wrote to memory of 3020	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	75
PID 3120 wrote to memory of 3020	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	75
PID 3120 wrote to memory of 2184	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	76
PID 3120 wrote to memory of 2184	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	76
PID 3120 wrote to memory of 4492	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	81
PID 3120 wrote to memory of 4492	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	81
PID 3120 wrote to memory of 1044	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	85
PID 3120 wrote to memory of 1044	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	85
PID 3120 wrote to memory of 408	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	86
PID 3120 wrote to memory of 408	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	86
PID 3120 wrote to memory of 692	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	97
PID 3120 wrote to memory of 692	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	97
PID 3120 wrote to memory of 3164	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	101
PID 3120 wrote to memory of 3164	3120	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	101

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3024

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Boot or Logon Autostart Execution: Authentication Package
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2184

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:408

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:692

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sA74C.tmp

Filesize
72KB

MD5
8f2b5c32b2379a5123c2ac35a4a6debb

SHA1
306609b3019cf9fa694561d419317921f30a80a1

SHA256
cf4c535ec8c2127e99b41c03b312eb70c2342c58f4c83cc011ecc172595a897f

SHA512
25bc7fadcb80c8d035816c0878c3e4a326af43a3c3dbff3df81d88b0c36b1694033f6c2296ef5b1a13671f6aa45d8c6c3c9a4e3430e4854719ea6b3ce6b37cb3

Download Submit
memory/3120-0-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/3120-5-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download