31b0e73835dd58455bc30063b15f0757f69f1114870a52ee953720bf963c1150

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
Size

2.5MB
MD5

16c954986ee7036a4ebba280ef35f987
SHA1

727e793721e14eac0c41d32363bc10820dd16e07
SHA256

31b0e73835dd58455bc30063b15f0757f69f1114870a52ee953720bf963c1150
SHA512

41d16ae929be32ae1167de2ef328db12fc137bccfeefe59e7f0e43aad4bae7514d7255f8b4c37ca27584a341da3249dd024386ddef53671b2f5210a9c5eef438
SSDEEP

49152:MFT/XoN9NtqUh/wL8w0Pelu8G5UoafpbswJNPpJ6Qmub1F1ZAC:MN/oNJqPuPeoVOoafpL/BcQDbNZZ

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
7	5280	rundll32.exe
10	5280	rundll32.exe
13	5280	rundll32.exe
16	5280	rundll32.exe
27	5152	rundll32.exe
32	5952	rundll32.exe
33	5952	rundll32.exe
34	5496	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000200000001e32b-21.dat	acprotect
behavioral2/memory/3812-23-0x0000000002940000-0x000000000294A000-memory.dmp	acprotect
behavioral2/memory/3812-40-0x0000000002940000-0x000000000294A000-memory.dmp	acprotect
behavioral2/memory/3812-39-0x0000000002940000-0x000000000294A000-memory.dmp	acprotect
behavioral2/memory/3812-55-0x0000000002940000-0x000000000294A000-memory.dmp	acprotect
behavioral2/memory/3812-95-0x0000000002940000-0x000000000294A000-memory.dmp	acprotect
behavioral2/memory/3812-88-0x0000000002940000-0x000000000294A000-memory.dmp	acprotect
behavioral2/memory/3812-128-0x0000000002940000-0x000000000294A000-memory.dmp	acprotect

Loads dropped DLL 34 IoCs

pid	Process
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
5280	rundll32.exe
5152	rundll32.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
5952	rundll32.exe
5496	rundll32.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e32b-21.dat	upx
behavioral2/memory/3812-23-0x0000000002940000-0x000000000294A000-memory.dmp	upx
behavioral2/memory/3812-40-0x0000000002940000-0x000000000294A000-memory.dmp	upx
behavioral2/memory/3812-39-0x0000000002940000-0x000000000294A000-memory.dmp	upx
behavioral2/memory/3812-55-0x0000000002940000-0x000000000294A000-memory.dmp	upx
behavioral2/memory/3812-95-0x0000000002940000-0x000000000294A000-memory.dmp	upx
behavioral2/memory/3812-88-0x0000000002940000-0x000000000294A000-memory.dmp	upx
behavioral2/memory/3812-128-0x0000000002940000-0x000000000294A000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 5280	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	91
PID 3812 wrote to memory of 5280	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	91
PID 3812 wrote to memory of 5280	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	91
PID 3812 wrote to memory of 5152	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	92
PID 3812 wrote to memory of 5152	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	92
PID 3812 wrote to memory of 5152	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	92
PID 3812 wrote to memory of 5952	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	93
PID 3812 wrote to memory of 5952	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	93
PID 3812 wrote to memory of 5952	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	93
PID 3812 wrote to memory of 5496	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	97
PID 3812 wrote to memory of 5496	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	97
PID 3812 wrote to memory of 5496	3812	16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16c954986ee7036a4ebba280ef35f987_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\EDC3AA0F-3E48-D04C-ADAF-C89832EC84BB\ists.dll",CmdProc --Level --Supp 571 --Ver 160
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5280
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\EDC3AA0F-3E48-D04C-ADAF-C89832EC84BB\ists.dll",CmdProc --Goo --Proc checkinstall --Supp 571 --Cid 6A468243-C394-6B4E-A273-3C73BFE125C5 --Tid UA-56838662-1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5152
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\EDC3AA0F-3E48-D04C-ADAF-C89832EC84BB\ists.dll",CmdProc --Check --Supp 571 --Uid 07D6E8B732521E418CA2C203B491D183 --Ver 160
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Maps connected drives based on registry
  PID:5952
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\EDC3AA0F-3E48-D04C-ADAF-C89832EC84BB\ists.dll",CmdProc --Goo --Proc startinstall --Supp 571 --Cid 6EB66B42-1FDF-9C4B-A6B4-6EDC3EA7DCEB --Tid UA-56838662-1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05D517E27F502E8D3D31C7688EBC7A89

Filesize
503B

MD5
27a1c156e6d1f20bf79bd2b9356e8bfa

SHA1
fa354470bf31acfb38e8d2204126a5c8a6158277

SHA256
2a2cf25ec3c4d38b415b1a16486257ce1068c042a440c5a2fec25609265efdd3

SHA512
62713202d455c5c1277681fb76c1dc7770b8719cde88dd86fa99fb45e3b1aca8766247467af692c7a2b1b085d0291387281addf08145143db43facdf7d977694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05D517E27F502E8D3D31C7688EBC7A89

Filesize
548B

MD5
9f4af5c8a3fb846ffb2c6c98a28921be

SHA1
8dfa4178763d8d9cb2e4bd3257c9a9fe83f45e32

SHA256
2c0d4681e300624860aa12828e59e5351a7067071ad342f72dbad598ff3e1026

SHA512
ea782c594c82b4bb9c387e905a0c7acc46a7dd95b19aed2e99ab7d9b5dec9968abe84978fe5211912b540aecd3232d7da2f406cc975367bd84c1ce63f032f06c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
133b32f1f472712aa12430cdbcd13c9b

SHA1
02f4ac8dadfdd44b56d64467c60b632e2be1f5c7

SHA256
bf32eecff33ff966874a259d106cc35fc5f5b45bd488c69f5828ebee1fe283d6

SHA512
95a982e6ae438b2ae478efa339bcac5c7742c176e7cebec2db02cc83e163d7c9fb205164397de012f93829cd46faf514075ece37f7f93d94fdb046659545413c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDC3AA0F-3E48-D04C-ADAF-C89832EC84BB\ists.dll

Filesize
365KB

MD5
35e2b49159b6619ee1ae8f6d1790e721

SHA1
f61ff5c95978ad46f0a13d1f12ec1dc4b4308648

SHA256
a0d3936b3f124fd60aed8aa9c34bddf91054c909172bccfbfa21d37ff95cea97

SHA512
a4eb71ca89fbb6d615ed8c370da1b7aac998d15db7309779856d86d6b78100d31dcfbffa5d46e9a77990e97e38f4179ce5748e68c873672cc07238c60a493b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso27A8.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso27A8.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso27A8.tmp\nsDialogs.dll

Filesize
9KB

MD5
dbdbf4017ff91c9de328697b5fd2e10a

SHA1
b597a5e9a8a0b252770933feed51169b5060a09f

SHA256
be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36

SHA512
3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10

Download Submit
memory/3812-44-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-57-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-55-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-95-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-88-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-108-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-64-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-39-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-40-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-49-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-23-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-128-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/3812-129-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download