b4a8b4a9662e20f74c888ef27a0940b7fb6af2572d3d01d51bed97ac49680a87

Analysis

max time kernel
133s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe
Size

222KB
MD5

f5a3a06c99e01b856e55b3a178cedd51
SHA1

ff9d392960cf19d9ec3e9e2fef0d2c24d0e04192
SHA256

b4a8b4a9662e20f74c888ef27a0940b7fb6af2572d3d01d51bed97ac49680a87
SHA512

47098823410f297aacc3d0881b0c198fecec47ec9cb39919f2ca914de5130610dd4569bbe8a88b2f50c598997241a3ccd64f883cc13713c72658578600d41b3d
SSDEEP

3072:uaObYrSD4kjua2DH4xWj5GWp1icKAArDZz4N9GhbkrNEk9bS5VP2rgQ7TzYKMy96:uaKMSD4Yuaelp0yN90QErergWTYy

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1524	F668~1.EXE
1888	F668~1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 1888	1524	F668~1.EXE	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F668~1.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1888	F668~1.exe
1888	F668~1.exe
1888	F668~1.exe
1888	F668~1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	F668~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 1524	3152	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe	85
PID 3152 wrote to memory of 1524	3152	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe	85
PID 3152 wrote to memory of 1524	3152	f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe	85
PID 1524 wrote to memory of 1888	1524	F668~1.EXE	86
PID 1524 wrote to memory of 1888	1524	F668~1.EXE	86
PID 1524 wrote to memory of 1888	1524	F668~1.EXE	86
PID 1524 wrote to memory of 1888	1524	F668~1.EXE	86
PID 1524 wrote to memory of 1888	1524	F668~1.EXE	86
PID 1524 wrote to memory of 1888	1524	F668~1.EXE	86
PID 1524 wrote to memory of 1888	1524	F668~1.EXE	86
PID 1888 wrote to memory of 3488	1888	F668~1.exe	56
PID 1888 wrote to memory of 3488	1888	F668~1.exe	56
PID 1888 wrote to memory of 3488	1888	F668~1.exe	56
PID 1888 wrote to memory of 3488	1888	F668~1.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f5a3a06c99e01b856e55b3a178cedd51_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F668~1.EXE

Filesize
50KB

MD5
d1c1d0f8f4937738180677453ccc7ae0

SHA1
c012cef0784b47c77104f5df8d5a2ddbb22d0ed8

SHA256
02fa188338f9ee5aa914a0884f207a9ac2fce00a11640165029b664d705f703d

SHA512
30944678cc0170d28d0daba86ebc2a9494bc55dad90238cb3714e4c6389033f05b9d0770a7af65154368d96f6a70d74db454d0778f2aff6247cfb163766ec58c

Download Submit
memory/1524-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1524-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1888-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1888-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1888-10-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1888-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1888-16-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1888-21-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/3488-17-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3488-18-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download