82ce08a0f21c5ed17ae9c7398a109be7284bbe12eee716ce701ab5f393590ff5

Analysis

max time kernel
95s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe
Size

374KB
MD5

f01ef057f23f2116a29fce1a698d238d
SHA1

4e7ee27ce39576d5eb802edc60b2bb9d317a1a72
SHA256

82ce08a0f21c5ed17ae9c7398a109be7284bbe12eee716ce701ab5f393590ff5
SHA512

a1e21c8e1e188c9989d63a8d9db011f8231392e66e968bad094e2b7d3084ab5cec89d9b9090a4e73269441aae4f9859761041367b1e47a388a6ba527c9c37018
SSDEEP

6144:NS+6eXG1LasZubmVbP5SKEdz3/gwlB/iySRJVWvvZjl+/B2uGyXubTj/SdBOgeYH:ZLXgWHmh5VEdTxlB6JUvZABlaHjaztVZ

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5036	dL38001JpPdH38001.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3104-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3104-3-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/files/0x00080000000233eb-13.dat	upx
behavioral2/memory/5036-15-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3104-16-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/5036-19-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/5036-25-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dL38001JpPdH38001 = "C:\\ProgramData\\dL38001JpPdH38001\\dL38001JpPdH38001.exe"	dL38001JpPdH38001.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3104	f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe
3104	f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe
5036	dL38001JpPdH38001.exe
5036	dL38001JpPdH38001.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe
Token: SeDebugPrivilege	5036	dL38001JpPdH38001.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 5036	3104	f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe	85
PID 3104 wrote to memory of 5036	3104	f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe	85
PID 3104 wrote to memory of 5036	3104	f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\ProgramData\dL38001JpPdH38001\dL38001JpPdH38001.exe
  "C:\ProgramData\dL38001JpPdH38001\dL38001JpPdH38001.exe" "C:\Users\Admin\AppData\Local\Temp\f01ef057f23f2116a29fce1a698d238d_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dL38001JpPdH38001\dL38001JpPdH38001

Filesize
192B

MD5
c386d7c99c6adbef484d882bbd33cf66

SHA1
b0af10b11715a80a99d6933b09b350316451a649

SHA256
0d730cf4c815e6cf061d603b25683556e1ffd8f61b1fb8b183b2de21e48aa345

SHA512
af36402f714820ebed2d0583a950880e8771a8785871221acbc1ee96709b2fc8e432de643225179aba095a90973a4d1a3ccc38003656138f2e2c168e4eccb687

Download Submit
C:\ProgramData\dL38001JpPdH38001\dL38001JpPdH38001.exe

Filesize
374KB

MD5
160ea05fdf308e1d030c51498ab27304

SHA1
5b5b4fe770a06b9dac70fc548483e9b0bfc8738e

SHA256
80570c5396fa1b4b5edcaa4048f9d9b2d44ae2a8e6e1594f790d0ddf6e402d99

SHA512
d36f983fd15fab42d3b3983bfb5328bb3377f6e0897cc101cb4f5cba84861af57e5a36ff0e14e9b5f98e2a6bd7aeb629d90008c978f31d0f351dcfca69e008c3

Download Submit
memory/3104-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3104-1-0x0000000002300000-0x00000000023A5000-memory.dmp

Filesize
660KB

Download
memory/3104-2-0x00000000006C0000-0x0000000000713000-memory.dmp

Filesize
332KB

Download
memory/3104-3-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3104-16-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5036-15-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5036-19-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5036-25-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download