15248611bb13ad117b920beab27b4127548d507a404a221db8cdb6f48245c852

Analysis

max time kernel
17s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Size

812KB
MD5

8d6e16652255248faf57ad57c890c36d
SHA1

4403ef0c6b8ca2f0d66a5d1ab8fab014bc6d7a74
SHA256

15248611bb13ad117b920beab27b4127548d507a404a221db8cdb6f48245c852
SHA512

668965db931da5c620ac59b84b79d70edb04af7df09bee95147b8b350bc11992686a3f7c34747b68a714826b10ff49a27fa23098df4441975ae85859debda5e0
SSDEEP

24576:g8QT6rzvo4ZD1yiQQNN3iR1n7HNhf1zRZ27n0:R5AQH817HNhvSn

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskmngr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	taskmngr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskmngr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	taskmngr.exe

Executes dropped EXE 4 IoCs

pid	Process
1944	taskmngr.exe
3700	taskmngr.exe
2780	taskmngr.exe
4452	taskmngr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\taskmngr.exe	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe
File created	C:\Windows\SysWOW64\taskmngr.exe	taskmngr.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmngr.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InProcServer32\ThreadingModel = "Both"	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\kvCEdfzzjLcc = "hHMbU`fiPLa_PWc`yTjS~hEI"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jctpmezfLXV = "B^pVVtvlz@EjEyQrJ\x7fEmhPxmUryT}]ta"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\tpfdyldrkrO = "mY\x7fOa\|Aq{[]vNOh_M{MZ"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jctpmezfLXV = "B^pVVtvlz@EiEyQrJ\x7fEnhPxmUryT}]ta"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\qiAucm = "}dQ}YRgc_uK{OTsmgczjG~nv"	taskmngr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\Containers	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InProcServer32	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecs.dll"	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\kOfZEUyGexdHu = "\x7fOdI]omZ}LpCUwdk"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\zwcJmdrjcyto = "F`"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\QjeSnhtmp = "\|bluy^Z_{poxUBg@"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\zwcJmdrjcyto = "^p"	taskmngr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\qiAucm = "}dQ}YRgc_uK{OT\x7fmgczj{q{S"	taskmngr.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:5D2892D9	taskmngr.exe
File created	C:\ProgramData\TEMP:5D2892D9	taskmngr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	4936	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4936	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Token: 33	4936	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4936	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Token: 33	3700	taskmngr.exe
Token: SeIncBasePriorityPrivilege	3700	taskmngr.exe
Token: 33	3700	taskmngr.exe
Token: SeIncBasePriorityPrivilege	3700	taskmngr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 3196 wrote to memory of 4936	3196	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	84
PID 4936 wrote to memory of 1944	4936	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	88
PID 4936 wrote to memory of 1944	4936	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	88
PID 4936 wrote to memory of 1944	4936	8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe	88
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 1944 wrote to memory of 3700	1944	taskmngr.exe	89
PID 3700 wrote to memory of 2780	3700	taskmngr.exe	97
PID 3700 wrote to memory of 2780	3700	taskmngr.exe	97
PID 3700 wrote to memory of 2780	3700	taskmngr.exe	97
PID 2780 wrote to memory of 4452	2780	taskmngr.exe	98
PID 2780 wrote to memory of 4452	2780	taskmngr.exe	98
PID 2780 wrote to memory of 4452	2780	taskmngr.exe	98

C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\taskmngr.exe
    C:\Windows\system32\taskmngr.exe 1308 "C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\taskmngr.exe
      C:\Windows\system32\taskmngr.exe 1308 "C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 1476 "C:\Windows\SysWOW64\taskmngr.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\taskmngr.exe
        
        C:\Windows\system32\taskmngr.exe 1476 "C:\Windows\SysWOW64\taskmngr.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:5D2892D9

Filesize
99B

MD5
c8f60cda1b25f5042de2c46674d3fd62

SHA1
9f6a5e1f67acacae691478db64aef4c9db6d90b6

SHA256
8623a5b7b2de2c770704e1aec2c89e543e1f45335e5567ce904059138deff281

SHA512
8dc9e4ec941095dda3ae1dd740a89ea0b4e3e140144e2e74f149d3b77b11f2639d99fa24ad1c4b7cf67943f184420bf3aaf16d916a32982f0f9ef0469494cd28

Download Submit
C:\Windows\SysWOW64\taskmngr.exe

Filesize
812KB

MD5
8d6e16652255248faf57ad57c890c36d

SHA1
4403ef0c6b8ca2f0d66a5d1ab8fab014bc6d7a74

SHA256
15248611bb13ad117b920beab27b4127548d507a404a221db8cdb6f48245c852

SHA512
668965db931da5c620ac59b84b79d70edb04af7df09bee95147b8b350bc11992686a3f7c34747b68a714826b10ff49a27fa23098df4441975ae85859debda5e0

Download Submit
memory/1944-64-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1944-26-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3196-0-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3196-34-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3700-41-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3700-38-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3700-57-0x00000000021B0000-0x0000000002245000-memory.dmp

Filesize
596KB

Download
memory/3700-46-0x00000000021B0000-0x0000000002245000-memory.dmp

Filesize
596KB

Download
memory/3700-42-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3700-44-0x00000000021B0000-0x0000000002245000-memory.dmp

Filesize
596KB

Download
memory/3700-27-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3700-43-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3700-28-0x00000000021B0000-0x0000000002245000-memory.dmp

Filesize
596KB

Download
memory/3700-39-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3700-40-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4452-52-0x0000000002030000-0x00000000020C5000-memory.dmp

Filesize
596KB

Download
memory/4936-15-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4936-11-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4936-33-0x0000000000790000-0x0000000000825000-memory.dmp

Filesize
596KB

Download
memory/4936-13-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4936-9-0x0000000000790000-0x0000000000825000-memory.dmp

Filesize
596KB

Download
memory/4936-16-0x0000000000790000-0x0000000000825000-memory.dmp

Filesize
596KB

Download
memory/4936-10-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4936-12-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4936-14-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/4936-4-0x0000000000790000-0x0000000000825000-memory.dmp

Filesize
596KB

Download
memory/4936-3-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download