3c9e408e6591602052339e1a7511422d7644c6c2cb8c683ec276e95888d2be1f

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe
Size

35KB
MD5

ea2d4dc14a34c48fe9345ff7fed04727
SHA1

093fdc0be7f5c1166551e35a961a35b8abbbb102
SHA256

3c9e408e6591602052339e1a7511422d7644c6c2cb8c683ec276e95888d2be1f
SHA512

f8ce6c5567e2bd5b3ad11298de5cb48e0e3104f7d1dcf421dfbbb4dce421988b1309c342fbf0d9cd849261298b1083f47b6dd49d5e33ee76ba1a921237e5a5ec
SSDEEP

768:gCkSsf4ssqtlrCE+51fiL8cNsiX8liiE56:gCkV0KlCpfqNse8li156

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2520	mtvhits.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-1-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x000b000000012257-5.dat	upx
behavioral1/memory/2188-9-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2520-14-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2520	2188	ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2520	2188	ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2520	2188	ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2520	2188	ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea2d4dc14a34c48fe9345ff7fed04727_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\mtvhits.exe
  "C:\Users\Admin\AppData\Local\Temp\mtvhits.exe"
  2⤵
  - Executes dropped EXE
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\mtvhits.exe

Filesize
35KB

MD5
4ac4ac82b433ca7e63a064442f8f02e1

SHA1
681b23380bede28dcf2095b9cc443cda43af8a60

SHA256
792e746862f40817093c68bd64a49b4b0f04412140fa69bdaa2785f177f7e76f

SHA512
14bc1e7dfae4e5f332e7cb29bfd599b2faae78e19bda5ac6e969530eaae350e51d2d1ef5437a48246851aca3bbd94786430e83dab20171a0047532f238c29efe

Download Submit
memory/2188-0-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/2188-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2188-2-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/2188-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2188-11-0x0000000002B90000-0x0000000002BA4000-memory.dmp

Filesize
80KB

Download
memory/2188-18-0x0000000002B90000-0x0000000002BA4000-memory.dmp

Filesize
80KB

Download
memory/2520-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2520-15-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download