75e849cb154f1bb7cac1cd1f01092432dec5e483987e6c9f6030acd36a3bc924

Analysis

max time kernel
140s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe
Size

227KB
MD5

fcc9d1a205db2f39d40c151e94f71b7c
SHA1

66caf452889e757ad0e7247d3ea9a7104e711cb7
SHA256

75e849cb154f1bb7cac1cd1f01092432dec5e483987e6c9f6030acd36a3bc924
SHA512

41a8d47d380721a7816db5b89a0d8f89e1240f4dc0886d039f4545be320b224ff366885e7d1d5c14aa49226db5687cfaab47192a4bc3bc1d6c011c397739518a
SSDEEP

6144:PjbeiSLx2U8797OXlfcnsJut0HaE3F/8U:PutMUIO1wYHaE3xZ

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2216	is151287.exe
2476	NEROUE~1.EXE

Loads dropped DLL 6 IoCs

pid	Process
2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe
2216	is151287.exe
2216	is151287.exe
2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe
2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe
2476	NEROUE~1.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002a000000015d4c-32.dat	upx
behavioral1/memory/2476-43-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2476-46-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mljhgef.dll	is151287.exe
File created	C:\Windows\SysWOW64\mljhgef.dll	is151287.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	is151287.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	is151287.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2216	is151287.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2216	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2216	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2216	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2216	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2216	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2216	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2216	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	28
PID 2216 wrote to memory of 436	2216	is151287.exe	5
PID 2216 wrote to memory of 2568	2216	is151287.exe	29
PID 2216 wrote to memory of 2568	2216	is151287.exe	29
PID 2216 wrote to memory of 2568	2216	is151287.exe	29
PID 2216 wrote to memory of 2568	2216	is151287.exe	29
PID 2216 wrote to memory of 2568	2216	is151287.exe	29
PID 2216 wrote to memory of 2568	2216	is151287.exe	29
PID 2216 wrote to memory of 2568	2216	is151287.exe	29
PID 2216 wrote to memory of 2644	2216	is151287.exe	30
PID 2216 wrote to memory of 2644	2216	is151287.exe	30
PID 2216 wrote to memory of 2644	2216	is151287.exe	30
PID 2216 wrote to memory of 2644	2216	is151287.exe	30
PID 2216 wrote to memory of 2644	2216	is151287.exe	30
PID 2216 wrote to memory of 2644	2216	is151287.exe	30
PID 2216 wrote to memory of 2644	2216	is151287.exe	30
PID 2416 wrote to memory of 2476	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2476	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2476	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2476	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2476	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2476	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2476	2416	fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe	32

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcc9d1a205db2f39d40c151e94f71b7c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is151287.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is151287.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe ›¼w^Î§x,a
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\is151287.exe"
    3⤵
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NEROUE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NEROUE~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\removalfile.bat

Filesize
43B

MD5
9a7ef09167a6f4433681b94351509043

SHA1
259b1375ed8e84943ca1d42646bb416325c89e12

SHA256
d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7

SHA512
96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\NEROUE~1.EXE

Filesize
123KB

MD5
db457a863378b2fc8dbe1f99e97e7dbb

SHA1
b1519970a4878fefdd338f4ae40bc2ebc4f174ae

SHA256
c95035bdf86b3a0f9280e2d0e9648df870b7e8eed1a10f3a0d96a52163848e0b

SHA512
8463e4795fe4ce24e8fa372ae8328bfee736e85fe003fef06934de7900f859fed7cb5d61c2271c25ead80cc4b23c79b4e5afeb0f6d7a374809defb805b807ef4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\is151287.exe

Filesize
63KB

MD5
fb3994b7cb7d579a757e2de4ad23ca73

SHA1
332616f3930b33892ad23859263e905281b80d10

SHA256
73b6e2e6993560a93f96e1941d30012880558404e972782bbd658dca0497abeb

SHA512
a14ad157472056de804a3b6cf887fcaccb3bdaabd0c5c7901def665276f189513e386ee6f76cb1d69f27a88b14bb396947924c28d08b76429c1e56d66cb86000

Download Submit
\Windows\SysWOW64\mljhgef.dll

Filesize
37KB

MD5
815e81bf1685a4b058f0ba76fadf4cd0

SHA1
f0f75e0458946f634f2ae80e8b4bacb7cc73833e

SHA256
5ef97b357669a64ae06a8d908f5f72cc575b42adca33ebd18a690167399d9d83

SHA512
21a3ad2eb2906d741b96feb60139c57cb190cd58c228ef56a860bce27d59399d38d940af74621f1e46abfa53a6878843959e34802b7dbd7854c310bb09016b01

Download Submit
memory/436-18-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2216-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-17-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2216-19-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2216-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2416-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-42-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2416-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2416-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-43-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-44-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2476-46-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download