bd4e9cd2fa9c4eea41597c47f99dc3143e9099df65991d21c5c52d3994f96294

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25915cdb67c54ec11d7a0ac7cb364f20_JaffaCakes118.exe
Size

816KB
MD5

25915cdb67c54ec11d7a0ac7cb364f20
SHA1

4f76fc42564f6f8e249eaa47b933c3225fa4d8b2
SHA256

bd4e9cd2fa9c4eea41597c47f99dc3143e9099df65991d21c5c52d3994f96294
SHA512

01dc87e6244efa3da455c2ff45be36e7c621a8938720bb3d66f240bc6c1c043a953d0d8d8649d1886ac4fe27368416b592bf9fa7b6c198a9c51e018235c67a11
SSDEEP

12288:l3TD4DnRfwKl+j9Fc5vgPCzYC95m1UpmZhor1oAd6qopy53Tjacjgkdsr:9TQuKl+j9Fc5IUYnWpHr6A4NivaROsr

Score

9^/10

upx

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000013f2c-25.dat	Nirsoft

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2452	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
3048	ni.exe
2552	2.exe
2516	1.exe
2572	Sdat.exe

Loads dropped DLL 15 IoCs

pid	Process
2592	cmd.exe
2592	cmd.exe
2552	2.exe
2552	2.exe
2552	2.exe
2552	2.exe
2516	1.exe
2516	1.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014183-49.dat	upx
behavioral1/memory/2572-58-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2572-70-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2572-73-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2412	2516	WerFault.exe	34

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2552	2.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2592	2364	25915cdb67c54ec11d7a0ac7cb364f20_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2592	2364	25915cdb67c54ec11d7a0ac7cb364f20_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2592	2364	25915cdb67c54ec11d7a0ac7cb364f20_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2592	2364	25915cdb67c54ec11d7a0ac7cb364f20_JaffaCakes118.exe	28
PID 2592 wrote to memory of 3048	2592	cmd.exe	30
PID 2592 wrote to memory of 3048	2592	cmd.exe	30
PID 2592 wrote to memory of 3048	2592	cmd.exe	30
PID 2592 wrote to memory of 3048	2592	cmd.exe	30
PID 3048 wrote to memory of 2680	3048	ni.exe	31
PID 3048 wrote to memory of 2680	3048	ni.exe	31
PID 3048 wrote to memory of 2680	3048	ni.exe	31
PID 2680 wrote to memory of 2552	2680	cmd.exe	33
PID 2680 wrote to memory of 2552	2680	cmd.exe	33
PID 2680 wrote to memory of 2552	2680	cmd.exe	33
PID 2680 wrote to memory of 2552	2680	cmd.exe	33
PID 2552 wrote to memory of 2516	2552	2.exe	34
PID 2552 wrote to memory of 2516	2552	2.exe	34
PID 2552 wrote to memory of 2516	2552	2.exe	34
PID 2552 wrote to memory of 2516	2552	2.exe	34
PID 2516 wrote to memory of 2572	2516	1.exe	35
PID 2516 wrote to memory of 2572	2516	1.exe	35
PID 2516 wrote to memory of 2572	2516	1.exe	35
PID 2516 wrote to memory of 2572	2516	1.exe	35
PID 2516 wrote to memory of 2412	2516	1.exe	36
PID 2516 wrote to memory of 2412	2516	1.exe	36
PID 2516 wrote to memory of 2412	2516	1.exe	36
PID 2516 wrote to memory of 2412	2516	1.exe	36
PID 2572 wrote to memory of 2452	2572	Sdat.exe	37
PID 2572 wrote to memory of 2452	2572	Sdat.exe	37
PID 2572 wrote to memory of 2452	2572	Sdat.exe	37
PID 2572 wrote to memory of 2452	2572	Sdat.exe	37

C:\Users\Admin\AppData\Local\Temp\25915cdb67c54ec11d7a0ac7cb364f20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25915cdb67c54ec11d7a0ac7cb364f20_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\ni.exe
    ni.exe exec hide 2.cmd
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\system32\cmd.exe
      cmd /c 2.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        2.exe -p1234567890 -dC:\Users\Admin\AppData\Local\Temp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Sdat.exe
        
        C:\Users\Admin\AppData\Roaming\Sdat.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\system32\wscript.exe
        
        "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\CEC.tmp\CED.vbs
        8⤵
        Blocklisted process makes network request
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 392
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.cmd

Filesize
27B

MD5
31106c5e4c730b371b6ac2e602f4bbf0

SHA1
e6b2750c320be46bbaef3b7b65567fdcbae40f66

SHA256
d9fbe3381883314c77b6668d7cceec0e61d7e34e3e45bc3e73c7128febc9c755

SHA512
5bd0a2a62312f49cf7e2f6c224b8dd18c3dbcbd67f7ef5eb8a049e4dabe2a0df71d9a7819e01cb109b41edd906ac355c8d88526c9afef4e786eaa12af4b6fbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
658KB

MD5
e8597c30392ef5221186232d1f79ca2f

SHA1
c868f41227f31625ce027c21e172f83728a1ad27

SHA256
6e8d079b2ebdddb6dcaad5c416701cfbc15524b8693f9bab2eb384821b6c7fe4

SHA512
1cb5dc43eceeb2a4677561405a56039fe8cbc4eab0362c376ec156e9b6276baea7293461e9a5b8935af3881b9493099d18557fb9dcf6c373531e13b6c27f1a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEC.tmp\CED.vbs

Filesize
2KB

MD5
e097ead80c14907fecba2145d3009e2a

SHA1
cd9747c3a5120bf1af25097504e8e73ee3a03cad

SHA256
3c98363cb2f348bb80e217ab76e93c46d1d0ce53a6ba661fe5618d05821860b0

SHA512
6f605ff6224815179502f246ca0a995c458ab0b133ed0e49bddf62782e0842cd9a917c4de793c60ee8959bd9f1b8c707a2f42f3e76df048c73217e3852f3864c

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.bat

Filesize
39B

MD5
e47ee753333c0dddbf95a2933caf8e3f

SHA1
b702c1500e64ab077b99efc0a336aff780445519

SHA256
bacba3429d4bf3c73a35116e1b2bf015324726cf0a1c323a6568954a6b6436a1

SHA512
594e90a79f93f2ec9a58b65fc496517fdf689e8614de427358a0df93946ad61ea6dec32a72664dc7ff1694601e8a0a24e8f442ad2608ac73c5447a7662d652ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ni.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
1.0MB

MD5
d05b543dc51e4a518424468b6ee0faa9

SHA1
a44aff0859d0f3d6633486ead38a3e93430cb726

SHA256
9399c5797c74c4bc6adb889e54a4cb20de050d2c53c95fe9927d2c2d9b09a5a9

SHA512
3c450bf070c4e3976beba5e6274a429472a17004c5bafc7b648d7c80cc25105981e052a43864ce2e5639ebda04a69992dae6f9f8924a441bd71d27c03d43488e

Download Submit
\Users\Admin\AppData\Roaming\Sdat.exe

Filesize
35KB

MD5
5d084f65fd0f663f77615b6c096e4bde

SHA1
309880f0b1caca00b78d81af5c47deb746dff5ad

SHA256
fba937ffc0291601b7b03548dac94ef6f321077b96ec561c9f595fb71fc50ccb

SHA512
bbf046d2456a4e3569973735405bb2c1ab0001112e55e990a24b375665d81c2f49c4ed21276338573559e9717d94c3632625331ac29c99e99bc2560296a45f6e

Download Submit
memory/2516-57-0x0000000003470000-0x0000000003489000-memory.dmp

Filesize
100KB

Download
memory/2516-56-0x0000000003470000-0x0000000003489000-memory.dmp

Filesize
100KB

Download
memory/2516-68-0x0000000003470000-0x0000000003489000-memory.dmp

Filesize
100KB

Download
memory/2516-69-0x0000000003470000-0x0000000003489000-memory.dmp

Filesize
100KB

Download
memory/2572-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2572-70-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2572-73-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download