04a810ffcaf4ab849bb2b7a4bdfbcb9aabd9e85513e3a7f0861c770001146bd1

Analysis

max time kernel
139s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
Size

527KB
MD5

0ad61c4f369ef91a0a8afeaae1844032
SHA1

3aacba35e18d73e6bf22eb3aed1f20d611ee3875
SHA256

04a810ffcaf4ab849bb2b7a4bdfbcb9aabd9e85513e3a7f0861c770001146bd1
SHA512

a68d5e76d59a0375025868ad4d1a7cf8fc80205d3475b6875d39993e81c5e52350196801710e27d2497e9bca8ed4b2343d95d46ed14253398ca12576e27c104b
SSDEEP

12288:/quErHF6xC9D6DmR1J98w4oknqOOCyQfQJXzaVqfENFSmFZ6:Grl6kD68JmlotQf+eVzNFxFZ6

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1428	~ebbuhjk.tmp

Loads dropped DLL 13 IoCs

pid	Process
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp
1428	~ebbuhjk.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3704-0-0x0000000000A50000-0x0000000000B83000-memory.dmp	upx
behavioral2/memory/3704-57-0x0000000000A50000-0x0000000000B83000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3704-57-0x0000000000A50000-0x0000000000B83000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 1428	3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe	83
PID 3704 wrote to memory of 1428	3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe	83
PID 3704 wrote to memory of 1428	3704	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3704
- C:\~ebbuhjk.tmp
  C:\~ebbuhjk.tmp /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsu3990.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu3990.tmp\nsisFile.dll

Filesize
5KB

MD5
b7d0d765c151d235165823b48554e442

SHA1
fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

SHA256
a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

SHA512
5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

Download Submit
C:\~ebbuhjk.tmp

Filesize
158KB

MD5
63f97f0f83d525d798596963a41426e0

SHA1
e20f5011669a3aa5e54826add72d507c182be334

SHA256
f0ee8f91b19d7070c6a29298c2649b1f14ce6a4d88ae799477a033e8119b6af1

SHA512
a73413961fa3c81200eca1fd92fc4ba125bdb7f62c6a9173bf8df23aff2e03a57da47f71f32b52df6cfdcd149a60330bf9a5b27b1b45b032b89d8969ab948dcf

Download Submit
memory/3704-0-0x0000000000A50000-0x0000000000B83000-memory.dmp

Filesize
1.2MB

Download
memory/3704-57-0x0000000000A50000-0x0000000000B83000-memory.dmp

Filesize
1.2MB

Download