0455da8d01952f0709b32f6dbaf34b48d9753ae034b0874bc3cc9dc4ef856080

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
Size

15KB
MD5

ed46034ddd1b55c03dad43f51cf65ae3
SHA1

f21e112e880de9c6038da6b96a737faae4082b0e
SHA256

0455da8d01952f0709b32f6dbaf34b48d9753ae034b0874bc3cc9dc4ef856080
SHA512

df7758aea0990b51a4a310ec5aab06dc08427e68a1a5f19560c85146a85dbba266204da095806b8483773861b1eac7cc7e1f8b47dd9840b6666ed46cb378664e
SSDEEP

384:MkxO70M1uhxbnUicuK7hS6nXUyzdXAy5Hv:TA9uzbMuguQ

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\some = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe"	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2480	scm.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2408-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2408-5-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2480	scm.exe
2480	scm.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2480	2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe	84
PID 2408 wrote to memory of 2480	2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe	84
PID 2408 wrote to memory of 2480	2408	ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\scm.exe
  C:\Users\Admin\AppData\Local\Temp\scm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scm.exe

Filesize
6KB

MD5
a86e481c0dfc355c94aa23aaf44cf566

SHA1
5d5ffc4a9cf70b5c0881bb61ccd3987cbd7c0178

SHA256
8f7b3d8c7838e5ca6f969697be8a94bf836a0dea5cf22cec280942bd8bb7c1be

SHA512
8f238ad5d3c0991b8a5c3295c56e2c12bf6bd2c4991f616b682d6c6bf788acdfa1638a248c1fabe6b5df74ee740bf8814b08057bc539151514194a89803ad115

Download Submit
memory/2408-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2408-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download