15a515dd4b294ba6b91efa7b9c99a6c94abf960938544be29a010e4ad3b5d02a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
Size

412KB
MD5

f6b28ca0d18eb9c399ad43a5bd5bcaea
SHA1

46fc9675938eae8d725e761fa8f267013a8a9de0
SHA256

15a515dd4b294ba6b91efa7b9c99a6c94abf960938544be29a010e4ad3b5d02a
SHA512

3f7b88285cdec9c633dd2f9d1fb828f83882d76365b25727f6259978e68d66b1c12b4e156ae36951d9078a8351bdda9ea5dd458c920f1c04dededd11b493e82b
SSDEEP

6144:c347zfXgbTqi8A2rxCn3l0HRC//uFGnW6BV5+ixggkJoIDFmIZNu5HugMc85WG3W:c34nyb5Qwn12g/4GnW69PgAqIUP

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4328	fM02401CkPlP02401.exe

Executes dropped EXE 1 IoCs

pid	Process
4328	fM02401CkPlP02401.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4340-1-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral2/memory/4328-84-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral2/memory/4340-169-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral2/memory/4328-177-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral2/memory/4340-211-0x0000000000400000-0x00000000004D7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fM02401CkPlP02401 = "C:\\fM02401CkPlP02401\\fM02401CkPlP02401.exe"	fM02401CkPlP02401.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4316	4340	WerFault.exe	82
3636	4328	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4328	fM02401CkPlP02401.exe
4328	fM02401CkPlP02401.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4328	fM02401CkPlP02401.exe
4328	fM02401CkPlP02401.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
Token: SeDebugPrivilege	4328	fM02401CkPlP02401.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4328	fM02401CkPlP02401.exe
4328	fM02401CkPlP02401.exe
4328	fM02401CkPlP02401.exe
4328	fM02401CkPlP02401.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4328	fM02401CkPlP02401.exe
4328	fM02401CkPlP02401.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4328	4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe	90
PID 4340 wrote to memory of 4328	4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe	90
PID 4340 wrote to memory of 4328	4340	f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 888
  2⤵
  - Program crash
  PID:4316
- C:\fM02401CkPlP02401\fM02401CkPlP02401.exe
  "\fM02401CkPlP02401\fM02401CkPlP02401.exe" "C:\Users\Admin\AppData\Local\Temp\f6b28ca0d18eb9c399ad43a5bd5bcaea_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 888
    3⤵
    - Program crash
    PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4340 -ip 4340
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4328 -ip 4328
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\fM02401CkPlP02401\fM02401CkPlP02401.exe

Filesize
412KB

MD5
30d92236dab2555b824693afe8afdccf

SHA1
5bd1c63f883f8e2b6bd5be383fd309f3bfc0d5ff

SHA256
4fabd4da012e1db6b81231d9bebe63feef2356404476950f8af2405511fc087d

SHA512
d9ed5ce809f9a9ecb1b2c7a09f8b6442334c4532be5a635dcc4dc6a003f6daf0f3759d8b49115a035f050a1e14e79e7ef1d0098c3803b400c894771a67fab36a

Download Submit
memory/4328-84-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4328-85-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/4328-177-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4340-0-0x0000000002370000-0x0000000002373000-memory.dmp

Filesize
12KB

Download
memory/4340-1-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4340-2-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4340-169-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4340-211-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download