d0deeb586f1fd93b6243ebc0da43aa1a127ecbc179b5b6c4bb62374487415464

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 07:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe
Size

324KB
MD5

11a83cd7cc9ff70cae2bbdaf9eb5ceef
SHA1

055f291ed8d80d9b4dc4afd65206b4fe51b00844
SHA256

d0deeb586f1fd93b6243ebc0da43aa1a127ecbc179b5b6c4bb62374487415464
SHA512

3a6e51b3a9602f3ec0c3b17de8c284f45230e32aa3274971327d94d81014870c7b348c652a09b1c57a2ab51c0d22ebedccd84e95be4fd7f680da5f606e640133
SSDEEP

6144:ClswZPn4OEnG9vw2fpO/4NMZAjkOpbnui2Cv3oXpQDTcXF1zk:ClswZPnNEMphI4NMZANpbnuVs3oXE8vw

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000014712-1.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe
1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe
1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000014712-1.dat	upx
behavioral1/memory/1808-3-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/1808-23-0x0000000010000000-0x0000000010032000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MpSigStub.exe	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MpSigStub.exe	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2280	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2280	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2280	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2280	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2528	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	30
PID 1808 wrote to memory of 2528	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	30
PID 1808 wrote to memory of 2528	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	30
PID 1808 wrote to memory of 2528	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	30
PID 1808 wrote to memory of 3028	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	31
PID 1808 wrote to memory of 3028	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	31
PID 1808 wrote to memory of 3028	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	31
PID 1808 wrote to memory of 3028	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	31
PID 1808 wrote to memory of 2940	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	32
PID 1808 wrote to memory of 2940	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	32
PID 1808 wrote to memory of 2940	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	32
PID 1808 wrote to memory of 2940	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	32
PID 1808 wrote to memory of 2576	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	33
PID 1808 wrote to memory of 2576	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	33
PID 1808 wrote to memory of 2576	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	33
PID 1808 wrote to memory of 2576	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	33
PID 1808 wrote to memory of 2640	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	36
PID 1808 wrote to memory of 2640	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	36
PID 1808 wrote to memory of 2640	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	36
PID 1808 wrote to memory of 2640	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	36
PID 1808 wrote to memory of 2656	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	38
PID 1808 wrote to memory of 2656	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	38
PID 1808 wrote to memory of 2656	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	38
PID 1808 wrote to memory of 2656	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	38
PID 1808 wrote to memory of 2628	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	39
PID 1808 wrote to memory of 2628	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	39
PID 1808 wrote to memory of 2628	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	39
PID 1808 wrote to memory of 2628	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	39
PID 1808 wrote to memory of 2540	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	41
PID 1808 wrote to memory of 2540	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	41
PID 1808 wrote to memory of 2540	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	41
PID 1808 wrote to memory of 2540	1808	11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11a83cd7cc9ff70cae2bbdaf9eb5ceef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  PID:2280
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 9d-37-05-3b-2d-0e
  2⤵
  PID:2528
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 f7-cc-31-7b-40-68
  2⤵
  PID:3028
- C:\Windows\SysWOW64\arp.exe
  arp -s 37.27.61.181 d0-bb-68-00-25-f6
  2⤵
  PID:2940
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 e5-21-d6-19-be-51
  2⤵
  PID:2576
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 08-57-9d-8b-9f-1d
  2⤵
  PID:2640
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 1a-cc-58-e1-cd-46
  2⤵
  PID:2656
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 58-c0-b9-bb-75-9e
  2⤵
  PID:2628
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 45-21-be-8d-81-7b
  2⤵
  PID:2540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MpSigStub.exe

Filesize
243KB

MD5
39b981380efb66426797f124f563fea0

SHA1
d77bdec7849f8c523f5729c4eae0d353c8b6e057

SHA256
43a8e5f29f8e95c1969aa2e5df22f9a433b2db3f4fbd8fe636ede08af7554478

SHA512
49f81129557f950711fe3fb5db1fe44e404fccb254149a646605fac57905b65c042137725653e2fb69cd2816213c1403ab8d5224f315ef55490ebe53cabc8102

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
0609f5fe5fee88412b62aacafc43aedc

SHA1
e36ebd88d34a8b9af2808eb156f108ffc30d6a26

SHA256
b2e599e330c75124b46da9091b2546acff6dddc56d0f21d20e1af892f3ac07d6

SHA512
63f2ce803eed240ea27fcbef2658645a654b157dc8b2c630719bbe16de109467b28de81179cc99625c074dec4b8aa1c473798bcf48a3b394c8ea0be9edecc2d0

Download Submit
memory/1808-3-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1808-23-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/1808-21-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download