f31c503ee699ea21773589bcf432714f724613374a61e16e4cc8bbbf5596d5af

Analysis

max time kernel
133s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe
Size

600KB
MD5

19c2fbbcdcec7854a366e46d82162c51
SHA1

79e00cec8f02d8970e1427fbc1b46d989e5d578e
SHA256

f31c503ee699ea21773589bcf432714f724613374a61e16e4cc8bbbf5596d5af
SHA512

879ce4d25315e8252b1633bf417d21ccbe2d601bcf6e8579e7f4d57febbfeb39225f335a8594a9347d5472835ee9651be22ea0ceb0ae4f06c5f1acc1e0b471a5
SSDEEP

12288:UFIQctGozEaVwSo+A4XSuS9ASxv9dtb3H4q6fB8O27N14IsAd3O0:UFIQc8+ENfuSZvxvBr4Jf2OadsW3O

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Device = "C:\\Users\\Admin\\AppData\\Roaming\\Gq27LuqSsOfa.exe"	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Graphic Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Gq27LuqSsOfa.exe"	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe

description	pid	process	target process
PID 384 wrote to memory of 948	384	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe
PID 384 wrote to memory of 948	384	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe
PID 384 wrote to memory of 948	384	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe	19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19c2fbbcdcec7854a366e46d82162c51_JaffaCakes118.exe"
2⤵
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-0-0x0000000074A92000-0x0000000074A93000-memory.dmp

Filesize
4KB

Download
memory/384-1-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/384-2-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/384-5-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/384-7-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download