ae5ca1a5890af800c360d21d82627cc7db09b82f5ca3c432febe2ca943fcb7a7

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 21:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe
Size

37KB
MD5

e88291a3eb2d2d945c92d645e243a527
SHA1

55ba557535d733016be1e93f26e6478177627c6e
SHA256

ae5ca1a5890af800c360d21d82627cc7db09b82f5ca3c432febe2ca943fcb7a7
SHA512

3367dab022800dcdd103523746511816873a5c301a99b2ed487b51cd22b1c458756b5d7702da7fffda385b7fdc6f0376e85c33c2818484c0eb8993cc14575505
SSDEEP

768:zOHBAyI02Ag68hGeiLeNi/E4oAz7T6wKo1nQyoi5lpF8US:z+BAX1Agomi/doALfKpyt3rS

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\AppDataLow = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
1460	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2008	e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe
2008	e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1460	2008	e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe	28
PID 2008 wrote to memory of 1460	2008	e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe	28
PID 2008 wrote to memory of 1460	2008	e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe	28
PID 2008 wrote to memory of 1460	2008	e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e88291a3eb2d2d945c92d645e243a527_JaffaCakes118.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Adds policy Run key to start application
  - Deletes itself
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-4-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1460-3-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1460-9-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1460-5-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1460-12-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2008-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2008-1-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2008-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads