e6c083bc386c6543a06f0e6d2b0927076e7c0484ea959216b335d61a97e9b618

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe
Size

448KB
MD5

f4871b080f9274da1274bb43709d130e
SHA1

cca4af8b983e4786c3785a33c112871d00e5ecff
SHA256

e6c083bc386c6543a06f0e6d2b0927076e7c0484ea959216b335d61a97e9b618
SHA512

b8c4d47fb26a4c83f7c77ff0e3520c1e5caa1b26681129f19e2b242df38ab087c3bc0b1c6f97ccb88d7f1d9391c243bcd51afbbf7f58dc2ec75407f5a124f887
SSDEEP

6144:EgZUzJg5m05lmVcNNij/BVfMe7yz6GVnwmkSY8lgbtjabm4BwY3tuvLmzMEGqFA7:EyUdg5XAjDfD7gwmou6Y9uT4LOEIFU2

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	eL01813KaNlP01813.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	eL01813KaNlP01813.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe
2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2028-17-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2632-20-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2632-30-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2632-40-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eL01813KaNlP01813 = "C:\\ProgramData\\eL01813KaNlP01813\\eL01813KaNlP01813.exe"	eL01813KaNlP01813.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	eL01813KaNlP01813.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe
2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe
Token: SeDebugPrivilege	2632	eL01813KaNlP01813.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	eL01813KaNlP01813.exe
2632	eL01813KaNlP01813.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2632	2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2632	2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2632	2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2632	2028	f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\ProgramData\eL01813KaNlP01813\eL01813KaNlP01813.exe
  "C:\ProgramData\eL01813KaNlP01813\eL01813KaNlP01813.exe" "C:\Users\Admin\AppData\Local\Temp\f4871b080f9274da1274bb43709d130e_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eL01813KaNlP01813\eL01813KaNlP01813

Filesize
192B

MD5
f4e3aea3d41c0a7752e0fb1127028709

SHA1
971be629a786e086adee812231e0fde5d3e36ff4

SHA256
602da93d1e563eb46ef7598140447ec7e9db13a047c61134baccc9769e5119af

SHA512
7cd234a43b4c085e449412c7894dc1ec0e19698174584c5cfb962c2d7254e5a05e2e7e1c60b46620a4516192d18dceef13ee5216b64493e57122dc26132a4807

Download Submit
\ProgramData\eL01813KaNlP01813\eL01813KaNlP01813.exe

Filesize
448KB

MD5
95ae33bc77a8d25b49a4bcdb3f15898a

SHA1
97e4a631a3ea1625371b992f409f272f13cf5932

SHA256
3d34b6a82b57320cb30ea6b380824899c9433fa359218cde863126e94df7b671

SHA512
8b1c91f9da09b0d8ed89a137eb8a5ff18d36dab814ffdd82d670f972cead2f5a6c31fc403a2650344013a8a929c5813fc9521139b15c6fa4ff68a169241ea281

Download Submit
memory/2028-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2028-2-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2028-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2632-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2632-21-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2632-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2632-32-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2632-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download