e2c973befba3ba2a4cbfaa0d1eaa85ba60f5b7da9ddbe0d53ed4cc9487b7aa2c

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
Size

78KB
MD5

f1cc4c4b8b9540cc9e9404a2abe83eb2
SHA1

8f9ed0dae73f73a2a645e21529f6a8f63bb8ac2e
SHA256

e2c973befba3ba2a4cbfaa0d1eaa85ba60f5b7da9ddbe0d53ed4cc9487b7aa2c
SHA512

2aad123f70f5d416e00355f9a84d9f252923488a5e18d644f9aca072c882a92496a4e7bd25222506549f3f9b6155230b06ef41e2b29beacb191c8a7084ae1a3a
SSDEEP

1536:VwKKva3L9Q3N1s/B/gjaV2OhQo/Lsp7BEN8pO309gg1W9hQbg:VwLvab9GHsJ/TVhQo/Lsdt9sl

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8970.lnk	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	explorer.exe

Loads dropped DLL 3 IoCs

pid	Process
2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
2832	explorer.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2248-9-0x0000000002520000-0x0000000002582000-memory.dmp	upx
behavioral1/files/0x000a000000012240-2.dat	upx
behavioral1/memory/2832-10-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2248-31-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-39-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-43-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-45-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-46-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-48-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-50-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-52-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-54-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-56-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-58-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-60-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-62-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-64-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-66-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2832-68-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\q:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\e:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\g:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\k:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\t:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\z:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\l:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\o:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\w:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\y:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\u:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\v:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\n:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\p:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\r:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\s:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\h:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\i:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\m:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened (read-only)	\??\x:	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\uiui8.dll	explorer.exe
File created	C:\Program Files (x86)\Common Files\uiui8.dll	explorer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2832	explorer.exe
Token: SeDebugPrivilege	2832	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	explorer.exe
2832	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2832	2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2832	2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2832	2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2832	2248	f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1cc4c4b8b9540cc9e9404a2abe83eb2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\8970.lnk

Filesize
449B

MD5
ae342318b288719168082ba3f26d8e33

SHA1
0464e616edc87b677de3e514a5e5baf696ac92ec

SHA256
331939a00efce9cab0dc7e690b7be7de0e3d2378f7ea48640bc80ead177332ec

SHA512
2e7d224df58bdc39395208fae51726c6d7eff76752c1fdc746da3294b159c1b6fbc9440354ff935c41b2d18d6734cfcc6c18fb726b78fc7d73d870a32cebda34

Download Submit
\Program Files (x86)\Common Files\microsoft shared\explorer.exe

Filesize
78KB

MD5
f1cc4c4b8b9540cc9e9404a2abe83eb2

SHA1
8f9ed0dae73f73a2a645e21529f6a8f63bb8ac2e

SHA256
e2c973befba3ba2a4cbfaa0d1eaa85ba60f5b7da9ddbe0d53ed4cc9487b7aa2c

SHA512
2aad123f70f5d416e00355f9a84d9f252923488a5e18d644f9aca072c882a92496a4e7bd25222506549f3f9b6155230b06ef41e2b29beacb191c8a7084ae1a3a

Download Submit
\Program Files (x86)\Common Files\uiui8.dll

Filesize
17KB

MD5
90b1f2289c3121611de1b47a54803e38

SHA1
8c1a78e9e777072aa60c365feb94b4eaee93ee8a

SHA256
28267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c

SHA512
216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6

Download Submit
memory/2248-9-0x0000000002520000-0x0000000002582000-memory.dmp

Filesize
392KB

Download
memory/2248-0-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2248-11-0x0000000002520000-0x0000000002582000-memory.dmp

Filesize
392KB

Download
memory/2248-31-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-46-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-39-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-43-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-45-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-10-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-48-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-52-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-40-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/2832-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2832-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download