6196ac42c905036beaa5120d613b127a23f0cb16ff7d1a8bf6d5f69a5e2ea509

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe
Size

12KB
MD5

fcf4af698506908ce53b2d32141d0c70
SHA1

73c63a023664ae26e0d8cc65541879be57e81db4
SHA256

6196ac42c905036beaa5120d613b127a23f0cb16ff7d1a8bf6d5f69a5e2ea509
SHA512

937fc14ea193904ade151fa6cb4bb1ad88c00575e45aafb0f6d84286fb92d5fbd3fca3beef1d3e747469e075b12a7d5ada5b59682926089b6b0a343bd0803e1f
SSDEEP

192:2Har15XCCl7sFrbK4l8AmSXpMNoF67SArmnuXcw2rDD+zNH7xn+:2Har19l9sFrm4+W67SAau2rXWH71+

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	zesttnsk.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe
3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3008-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000c000000012671-3.dat	upx
behavioral1/memory/3008-4-0x0000000000030000-0x000000000003F000-memory.dmp	upx
behavioral1/memory/3008-11-0x0000000000030000-0x000000000003F000-memory.dmp	upx
behavioral1/memory/2172-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/3008-20-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zesttns.dll	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zesttnsk.exe	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zesttnsk.exe	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2172	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	28
PID 3008 wrote to memory of 2172	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	28
PID 3008 wrote to memory of 2172	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	28
PID 3008 wrote to memory of 2172	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	28
PID 3008 wrote to memory of 2516	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2516	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2516	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	29
PID 3008 wrote to memory of 2516	3008	fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\zesttnsk.exe
  C:\Windows\system32\zesttnsk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fcf4af698506908ce53b2d32141d0c70_JaffaCakes118.exe.bat

Filesize
210B

MD5
bdfc62a314e205c8b8ef7c7dbab9f394

SHA1
0a1de6dc25e1d871b5519c161f8b8b0e698d540d

SHA256
daea57309dce4d368cb820b647e6bcb262c177faaeaeee1bba7899d166e96d78

SHA512
f1e131c769a855fa0aa13a65375a4397dd857b731bc06aab29fb8ae8e04d07139413d68d72a203674a654a966dd42fb99fd1b809a2202930263ba12655226858

Download Submit
\Windows\SysWOW64\zesttnsk.exe

Filesize
12KB

MD5
fcf4af698506908ce53b2d32141d0c70

SHA1
73c63a023664ae26e0d8cc65541879be57e81db4

SHA256
6196ac42c905036beaa5120d613b127a23f0cb16ff7d1a8bf6d5f69a5e2ea509

SHA512
937fc14ea193904ade151fa6cb4bb1ad88c00575e45aafb0f6d84286fb92d5fbd3fca3beef1d3e747469e075b12a7d5ada5b59682926089b6b0a343bd0803e1f

Download Submit
memory/2172-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3008-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3008-4-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/3008-11-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/3008-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download