1373a293d8575970b7fa19958ea04e90a275b00779122b3c3aa91fa02df7d10f

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe
Size

169KB
MD5

f7b0e5fcd58038c0b42f843d14558689
SHA1

2264d0e7f4004ae9489dec30ffb9a9f50b6d9ac2
SHA256

1373a293d8575970b7fa19958ea04e90a275b00779122b3c3aa91fa02df7d10f
SHA512

97b0e617e2da358fbd3738a8b1dd54aed0bc3fa8e2ba5696c88a3ba3fbc1a98d17d2fbd4ec86d21cabcc012828718ebb0f9f490b51a7a772b136c73ca61a5bb0
SSDEEP

3072:uJxaKlHCoRXXDu2A3KROxwSM8He7WZgrJIrxuRzUtn+IgQWz0szRDhz9bC/D6pV:aVZRXXCQkxlHe7WZyCrxEzUhd8I8fz9l

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2992-0-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-2-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-36-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-37-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-44-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-50-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-56-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-62-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-67-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2992-69-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sms = "C:\\Windows\\system32\\sms.exe"	f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smsbcb.exe	f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\smsxa.exe	f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\smsgfb.exe	f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\smsbit.exe	f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\smsbdc.exe	f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2992	f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7b0e5fcd58038c0b42f843d14558689_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CF94YBKR\d[1].htm

Filesize
269B

MD5
c401cdd5c2f423eab019ce42b52fbc25

SHA1
fe0e0de0cd9197f25ff099b3f0ac93c86e8cbb4c

SHA256
63440881fcb4705b13210319feb10cae2118362f3f99f45f71ed903af89e9ea9

SHA512
fe5393e278923a707abe36eb56e66b166afd1b9f38abbec288a8db59842c08ff52f35a39b05e1f7c3ef76632c68c66343aad8e940673fdb29baeda2fd0443e18

Download Submit
C:\Windows\SysWOW64\smsbcb.exe

Filesize
186B

MD5
ddd7b9de2762817229b19dcca8e0c7ee

SHA1
709f7e1d87760ac2fd5423af466ddfc04090f1bd

SHA256
ed0c11884bf8d6680a7b9d9f96795df47aeaec1390d1d27acc228f80199aa72a

SHA512
80af0d507dcf9daed8bf0e967618a5fc4b5541076527f8b3af458b480bbeb060ffb6d2fc6c54eac1c2aab7e18192b8a00b8b4e9ae3dfc8cb809bcac1b25d86ec

Download Submit
memory/2992-37-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-2-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2992-36-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-39-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2992-44-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-50-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-56-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-62-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-67-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2992-69-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads