cbad509a0e6fae8870308ae58dbc10507c5a76159315e8cfe1923086924491d6

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Size

143KB
MD5

1b0345e97b24720ac1f907b04f84f1ef
SHA1

cde1d9dceb37cf0adebdf8d318a24b3ac1406af8
SHA256

cbad509a0e6fae8870308ae58dbc10507c5a76159315e8cfe1923086924491d6
SHA512

3f7d1c0a83b865b743a1ff01718ac99b254cda3fea7366ea304b5f7c39c6490d3f928afe88da772f0fe8092c6d7b1681c76ba24b39dde0418504c57470fc4bf3
SSDEEP

3072:JaiKXvKJW5zpd7rVXJ1RRA/SlXJKY/X1AKmo7D9NJO0vS:B6vKJqzNw/+vF2eDnvS

Score

8^/10

persistence privilege_escalation vmprotect

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1472 rundll32.exe
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

C:\Windows\SysWOW64\HIMYM.dll vmprotect

pid	process
1472	rundll32.exe

resource	yara_rule
C:\Windows\SysWOW64\HIMYM.dll	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disker = "rundll32.exe C:\\Windows\\System32\\HIMYM.dll,DW"	rundll32.exe

Drops file in System32 directory 1 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\HIMYM.DLL 1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HIMYM.DLL	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

pid	process
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
Token: SeDebugPrivilege	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

1472 rundll32.exe

pid	process
1472	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe

description	pid	process	target process
PID 4752 wrote to memory of 1472	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 4752 wrote to memory of 1472	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 4752 wrote to memory of 1472	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	rundll32.exe
PID 4752 wrote to memory of 1952	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	cmd.exe
PID 4752 wrote to memory of 1952	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	cmd.exe
PID 4752 wrote to memory of 1952	4752	1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1b0345e97b24720ac1f907b04f84f1ef_JaffaCakes118.exe"
2⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HIMYM.dll
Filesize
136KB

MD5
d78eb3893db89f73e2947070d04d1ebc

SHA1
926717219c5294b2b8710cba75250f508afda351

SHA256
5e47e54283cf3cdf6a2012edfe8ee3973dafcc445888e4ba0288b23895930c14

SHA512
9f6c6b37c141a2500908e644ece23a0f2396677b3d6d05174f417fc5a62e004666de3d26f6f5d208de8f5f8404a783bd3c92eab965c1e775967bc911d48fe93a

Download Submit
memory/4752-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4752-3-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download