Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 04:08

General

  • Target

    fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe

  • Size

    1003KB

  • MD5

    fbe4974aa207ef2f714ce642844f897c

  • SHA1

    0d9cb2ee644cbbae4269834ddb170f77c54c6de1

  • SHA256

    9e7d2e49a7773ee727b01ddb33aadb73667597eaba21d9b90dd28e590c807643

  • SHA512

    403a715fa56b0b70b92163efd9e96eae88a4d5d8ce3fa65fb592dfae94470719293ed7ccc918f61ed7c262a87c7d8392881496637160df3c74192635594b67ef

  • SSDEEP

    24576:p07cC9czqokhdbkiAyb5/vGQoadai7D3uITjIFOxo53ApIj:p042c2okhdbkiAyb5/vGQ7ai7D3xTgOu

Score
7/10
upx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe" /TN MJu5Ub8Eff50 /F
        3⤵
        • Creates scheduled task(s)
        PID:2900
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c schtasks.exe /Query /XML /TN MJu5Ub8Eff50 > C:\Users\Admin\AppData\Local\Temp\lcvOjTJ.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Query /XML /TN MJu5Ub8Eff50
          4⤵
            PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\lcvOjTJ.xml

      Filesize

      1KB

      MD5

      f23e4e030be524f2072c2f258e634767

      SHA1

      12e573f88fbb2fe84269d4c249e2f8176cd2210d

      SHA256

      59f67899a588b7c018948f97ef9b7d6246493c7a11a6298e30d08896a1102c10

      SHA512

      1151f258421fb8ce4b1adcfb9ed32be43a69c78ad190462abbe7c584f4560fea6b1e959436eab182f5c21dffad02e9b6c66593055eed95428d6e1195732fbcef

    • \Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe

      Filesize

      1003KB

      MD5

      79aa222cef3bf6f8018c653a6bb11766

      SHA1

      51d2ac44985569d9082d0bf8055d6dc76321b038

      SHA256

      afae7411b55f3b0f5f91cea3ca04bd445e89eb6a6d5a5b0359b43db9bd14890e

      SHA512

      4f08da776f014be006b0c05bc2bc0c5d8c8eb9a5276e7f4d7d2c8018f81b92ee80d8bda85d35c5192f2b78dbe6ecaadcf5d4be07f9ed9461c52963a535dadf3f

    • memory/1640-0-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/1640-2-0x00000000002A0000-0x000000000031E000-memory.dmp

      Filesize

      504KB

    • memory/1640-1-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/1640-15-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB

    • memory/1640-16-0x0000000023000000-0x000000002325C000-memory.dmp

      Filesize

      2.4MB

    • memory/2040-18-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB

    • memory/2040-20-0x00000000002F0000-0x000000000036E000-memory.dmp

      Filesize

      504KB

    • memory/2040-27-0x0000000000200000-0x000000000026B000-memory.dmp

      Filesize

      428KB

    • memory/2040-26-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

    • memory/2040-53-0x0000000000400000-0x000000000065C000-memory.dmp

      Filesize

      2.4MB