6af7e280c6f6052ca2dc6484afcfb1fb70cef381a6eda6c775f32fe073327d0c

Analysis

max time kernel
149s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
Size

603KB
MD5

f8e0f5df70f28932b15b2824f64aa68f
SHA1

4c222f5bba3dbdbc600a4419760b453474f15499
SHA256

6af7e280c6f6052ca2dc6484afcfb1fb70cef381a6eda6c775f32fe073327d0c
SHA512

dd0ed1352b3bca1d18b110e32efec78a9edf5aedefb308a4544b3024f63caeab540315d6dc773b84bba3a496330979b5c67e77c045deacbc2df772c4a6d20ec7
SSDEEP

3072:cJ5EFKOO6OzSmxs8VHgXPc8XASOg17MTvuout03T:PFKiOzC8VEXAouuoSS

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2924	qscoqvx.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4368-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x0007000000023407-13.dat	upx
behavioral2/memory/2924-39-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/files/0x000100000000002e-44.dat	upx
behavioral2/memory/5092-55-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2924-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-58-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-59-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-62-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-63-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-64-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-65-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-70-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-71-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4368-72-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Help\upbiran.ini	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Help\1.lrokagk	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Help\2.lrokagk	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lrokagk\lrokagk\emrhqwb\m.ini	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lrokagk\lrokagk\emrhqwb\qscoqvx.exe	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lrokagk\lrokagk\emrhqwb\qscoqvx.exe	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\rokagkl\rokagkl.exe	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 5092	2924	qscoqvx.exe	87

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\lrokagk.hlp	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File created	C:\Windows\2.ini	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
File opened for modification	C:\Windows\	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1200	5092	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2924	4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe	86
PID 4368 wrote to memory of 2924	4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe	86
PID 4368 wrote to memory of 2924	4368	f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe	86
PID 2924 wrote to memory of 5092	2924	qscoqvx.exe	87
PID 2924 wrote to memory of 5092	2924	qscoqvx.exe	87
PID 2924 wrote to memory of 5092	2924	qscoqvx.exe	87
PID 2924 wrote to memory of 5092	2924	qscoqvx.exe	87
PID 2924 wrote to memory of 5092	2924	qscoqvx.exe	87

C:\Users\Admin\AppData\Local\Temp\f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8e0f5df70f28932b15b2824f64aa68f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\lrokagk\lrokagk\emrhqwb\qscoqvx.exe
  C:\Windows\system32\lrokagk\lrokagk\emrhqwb\qscoqvx.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 12
      4⤵
      Program crash
      PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5092 -ip 5092
1⤵
PID:3284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.lrokagk

Filesize
26B

MD5
096d8729664971337508037032ac7c37

SHA1
50e581542512daab2bcea7c4d7444ce602ceb688

SHA256
8d9cf742b00a1bc4ef8f27eeac6dff42f4b457352b88a8e1f51c7c917d4c1e3b

SHA512
be8892e4614efa8e33fffe4808bf9f51ce8d8593746a989e11dbd2c98c762d53dfd48c0671258cdd218343b8de73a6e9ee4001707995d184de75ad8678e28b21

Download Submit
C:\Windows\SysWOW64\Help\2.lrokagk

Filesize
18B

MD5
355571dc6d7f25f70b3e462c68f2f335

SHA1
f922d1d2063e7e468600f58b8bfc04d96240430e

SHA256
666ca1ead21445ccb0330c8aa00a5f1064dcf8adbc9588a2352365be41fd9e38

SHA512
8b41ec3f1df78d492ed7b10eab205dcb0ba7713b85963c9498ecd14d42232a916243f0796c381fb2b09800da24f7b50d95ed9f7cc308febb8e8f48f95130c299

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
d4830e76b85df2ec80b84a8e61443bb1

SHA1
bed8c515224e21b0de24f9be5264eecaa443e5c9

SHA256
e6783e505b72508c32f3a303d388fdeea934496554b85fbf52d7403a975ad32b

SHA512
4dac2d75d62e4d84c01eba9c61762752a5a4218658ab52e4b162e32088d5a7c6c090a9b98d420e8bfc8c6203a6da2d4008bdc6c3a14c8d3549400b4a56d48d78

Download Submit
C:\Windows\SysWOW64\lrokagk\lrokagk\emrhqwb\m.ini

Filesize
128B

MD5
ebf25644a70cd97c0b2a8e12533c9052

SHA1
0f92e033d0a268ba967f2ef75c0ac6fdb688b436

SHA256
93926a594b31b5a32fe4d187f6f608528632cf09dc3e35d96ab1629f909e3ec8

SHA512
e8e1b4ab3423b4fa4b6874cf5fb193997dbb606134886ab2f3b4048c16cc794d7bce5dfa8bd7c0be99f053d88671c9a019f93cac455e57f0db4c929da8028cfc

Download Submit
C:\Windows\SysWOW64\lrokagk\lrokagk\emrhqwb\qscoqvx.exe

Filesize
5.9MB

MD5
f4f23f513c0fc060f8d7482e366cc717

SHA1
a60d0279ba366b3f0f72d1f4652c78893300cdb5

SHA256
22f9d9e1387c764baa95b125169563923ac65792c9ffa700a820dc37040af351

SHA512
ba3038ddbfce9a3dc23f70a284a446a8ce129a0f73023be8ad6583587b17db52fe961dddb331d589a7adf1c27da79c25b6bdaaa2021ed13288ffb11e31b76be0

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl000.IMD

Filesize
60KB

MD5
8ecedc3f0fa66f7a5fdb102a47fb6e11

SHA1
ad8a3c677d6aab10486f7548e2ac7b5e926a18f1

SHA256
5d318ef3f139e3ca6906063a526236faf2533a84bb688d09134182fef687a1cb

SHA512
745f42f0ca5f7c5b84a2cbf55be4d811570d97d4110c507115bd3a5f170e8fd0422ae3921d8a949e84585e6419ce5d58b6f0932aa2b2ebec0a11560a8f470977

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl001.IMD

Filesize
60KB

MD5
09ad5622cb56883f454d11844de70fb9

SHA1
f1819bebdb094883873c85b1d24135d0922d42ca

SHA256
4e2e11513dcf790ed5b06d559e3cf12b42478da385a5ca9dc82353fdf23035a7

SHA512
e52998e1fd6f7fec943f889f504338e3270448044c91034c0a3c32c8e61cdd468166c32b582557f842ed311b484880390e5aac1fc15fad9b67be6291059a20d3

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl002.IMD

Filesize
60KB

MD5
acb9aff18f2389791a64a4e21028b638

SHA1
13f6c9615382704a1103ae9a64c0e1165f91c857

SHA256
6c7158f594dc600d77f036de78e550a0a9b9e4ddf663f555152381f7dacb11a4

SHA512
d8465b3314a8a52e89068aea99f3fc8e0814e7a18a59c9ca8df747d4090ea6c0e55b8de1385441c47c96914288930062c58548862918c588c3d44596eb75d730

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl003.IMD

Filesize
60KB

MD5
35363cf729f5fb47d950b2af77bbde58

SHA1
82268a135eb78235693448e7c9b11f25a1e22630

SHA256
2bc5cc1037a485816def85bc7ebb73e363044658ea44a5dca86cb72ae9bd3b38

SHA512
1a0c5eaf1fd4c7bfc06a526f8b7b1edd38f71115f96c27b3be3898c9f188d23124e536ab96707a860399d5c82adb51d9adc2aaecc93457754d1e1726b0296315

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl004.IMD

Filesize
60KB

MD5
fd444519dc4d01e4209060e692bc760f

SHA1
ad2dffa2fd448c107901feade710658d8a25bf84

SHA256
c39c589060011e63419f034722ffb296c19e3a5f3aa6ec876d0a3fe1e946247e

SHA512
2b60e6b160be85692b0469b0af9d6ddf1b802601fae3c23c4878d0cdb4cf1d73356cb7b0905480da35497828eb077a123169283a69adce1ebac34aab43cc78ce

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl005.IMD

Filesize
60KB

MD5
373369d60838b51fb05c9b355fc254ab

SHA1
2efa6053b0d593f73e089e6394ae02f0d0da3d82

SHA256
1a2d966c39592e01ce04068a8232bde427f9a4f24ffc993cb031e6620171d68e

SHA512
9065f140643d50c4109fe31a29718be3a61a8e9a22e4a5d1be1bcd8093d57e4cf7ce4c9d4899a77d0bc8642cf183ee7c406da0c6a39ecd68dd234f4f90dc09c4

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl006.IMD

Filesize
60KB

MD5
9c933ea52d0200a7c8d68546bfbf1a73

SHA1
d689374bf7768b8103e46fa5760fe5b1f5eda840

SHA256
d65fa7ba84ddd5bb99eb59ddf3c2574c99908a0d0a26fb6bda45a31d24434465

SHA512
6765816c47fe00625ef6b25459035880602189899478844a3e2c2c5a3f6f72529738c675ade95a02d8c39becffad817cd08fb59b273c861db0731e3e9124a4da

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl007.IMD

Filesize
60KB

MD5
cb5db1337c3ff61dcd7295a9a931b66d

SHA1
c767cce8b376ee1dabb8172e77fb344789667aae

SHA256
62585d51c78d64de2ecaeb020571aaf3b3e30c971b1a2e9c7210f36c5d2f5924

SHA512
e7150658bdae3367a20a8fda8df20bf8358b4e03977a5f6fc4a8077c47724df920afd2befa7aba7494dbda394964b7aeec54844e132120ae57c439177522ce43

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl008.IMD

Filesize
60KB

MD5
50910ab8f36b11a4118eea2cace90304

SHA1
060f2349f7cd57bd1cd1dbe2a76d74ee6130b564

SHA256
b67c61ac5b737710941fbe58e999412c567c669a39d72f815437f3a0374a5e99

SHA512
55323c4808c5acb588d163eceadc89a666cfd158a16b5b10baef206fa1997dad064f6336ca0d86b548fb0c59af4c681e25f846aa33fae146e4a497213f86cf7b

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl009.IMD

Filesize
60KB

MD5
a531c53bbe1835562dfe5bf9ef26d586

SHA1
543899da3a95f131a377ef2b2270db6e5f1fd697

SHA256
7a86e724d31a67678112c31f5358db50c9a851c49fb894410f5c3c9786ed3e05

SHA512
79961d3444e91f7db3f973dd65a3b85849f3470b41298c5bce7c226e6537bc7213271524fc675993a457717e15725b11411d47a21feba92c78d13caa64cc3d34

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\rokagkl\rokagkl010.IMD

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
memory/2924-39-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2924-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-72-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-58-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-59-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-63-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4368-70-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5092-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download