17a271738f7174e948a2099b79820046c0f88539f9321e2d33659f6c7c5af06c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Size

389KB
MD5

d0ef7ad4b7184a1cb43d33042fd4026c
SHA1

179130412c75e36e5946fb285538c70abe71c6ce
SHA256

17a271738f7174e948a2099b79820046c0f88539f9321e2d33659f6c7c5af06c
SHA512

b5168454e9f86e36f60770405db5377557296b03b9a0f0d345bb194010ab37f5b329e5ceaadf44d2a9e48aba2a8a54023c4eba680735a33a6bf4944b4750b97f
SSDEEP

12288:/YW8Ntq3N/HNnqK07/GMORocaC1xUzoSO4mKGAT+:w1Ns31NqBGTPbdvAT

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kooping = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\assist.exe"	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\shell\open	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\assist.exe\" \"%1\""	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\URL Protocol = "C:\\Users\\Admin\\AppData\\Local\\Temp\\assist.exe"	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\ = "BizhibaProtocol"	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\DefaultIcon	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\assist.exe,1"	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\shell\open\command	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\bizhiba\shell	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
4572	d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0ef7ad4b7184a1cb43d33042fd4026c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4572-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4572-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4572-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4572-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download