bad16f711f8d962c0a9d80a67205df38e5389c8c1d4a6d43ec8e438273d66fdb

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe
Size

10KB
MD5

ed45e409a71645f496ebd0f2698cef60
SHA1

b0e5e0773fbd1389799e21f5cd5e1739f4df829a
SHA256

bad16f711f8d962c0a9d80a67205df38e5389c8c1d4a6d43ec8e438273d66fdb
SHA512

37697817bfcca87aafc8c02e6132d6feca973083f0729a80d1a2e2c11e5a5eef0da870ead967028cfac1449a74192492bff51c94209036afd6dc4b432770eaa2
SSDEEP

192:q4XuJaaKhJAUqeHeZUW57IdH/jIkbW3PffQi3U8228k9u7+:BS09+ZUWsISWfffLQM9y+

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1492	comremok.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/396-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0007000000023213-4.dat	upx
behavioral2/memory/396-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1492-10-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\comremok.exe	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comremo.dll	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comremok.exe	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe
396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1492	396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe	89
PID 396 wrote to memory of 1492	396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe	89
PID 396 wrote to memory of 1492	396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe	89
PID 396 wrote to memory of 1936	396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe	90
PID 396 wrote to memory of 1936	396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe	90
PID 396 wrote to memory of 1936	396	ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\comremok.exe
  C:\Windows\system32\comremok.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe.bat
  2⤵
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ed45e409a71645f496ebd0f2698cef60_JaffaCakes118.exe.bat

Filesize
210B

MD5
bcc40c039a7e56eb71ea89721cf952b6

SHA1
7331be6c2669848ed8d69c15229e3e140a140fe9

SHA256
5d6199f598d1f43edde1c07e18632b4cceeade7963262c734f9ff43c3048983a

SHA512
3f4f991a38494e2ff23ccb3c29174186ce5c5408e284e3fb88bc8e97cb63e0699a170c16856b936517f77dd31b934b1ee0b5c207c53b3238d1ad326f7fea4e91

Download Submit
C:\Windows\SysWOW64\comremok.exe

Filesize
10KB

MD5
ed45e409a71645f496ebd0f2698cef60

SHA1
b0e5e0773fbd1389799e21f5cd5e1739f4df829a

SHA256
bad16f711f8d962c0a9d80a67205df38e5389c8c1d4a6d43ec8e438273d66fdb

SHA512
37697817bfcca87aafc8c02e6132d6feca973083f0729a80d1a2e2c11e5a5eef0da870ead967028cfac1449a74192492bff51c94209036afd6dc4b432770eaa2

Download Submit
memory/396-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/396-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1492-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download