67d2adb1141f5b68c8f11d7dd7456d8628d2073a228902a71232e8f1b8d6871f

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e46a05d653ff89feac1faa4d55945eb_JaffaCakes118.exe
Size

33KB
MD5

4e46a05d653ff89feac1faa4d55945eb
SHA1

a570e9a39a9ff9d70a0a30e0a057ff94860fd356
SHA256

67d2adb1141f5b68c8f11d7dd7456d8628d2073a228902a71232e8f1b8d6871f
SHA512

85206155f564dc036206ea8dae01a65a7dcad6bc3177a556227bf24de9096b656102771deb639dce86a490a6669d4394ab2576d4fecbbf00910967c5cf8cce9c
SSDEEP

768:NyMHExfpdfohQEI/ctS09eqIXr1iEpTH0:0kgfroez/c0keqohiqH

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2236-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
632	timeout.exe
928	timeout.exe
1748	timeout.exe
2728	timeout.exe
2800	timeout.exe
2644	timeout.exe
1664	timeout.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery

T1057

pid	Process
2780	tasklist.exe
1724	tasklist.exe
1924	tasklist.exe
2152	tasklist.exe
868	tasklist.exe
748	tasklist.exe
1616	tasklist.exe
2172	tasklist.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	1724	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	2152	tasklist.exe
Token: SeDebugPrivilege	868	tasklist.exe
Token: SeDebugPrivilege	748	tasklist.exe
Token: SeDebugPrivilege	1616	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1344	2236	4e46a05d653ff89feac1faa4d55945eb_JaffaCakes118.exe	29
PID 2236 wrote to memory of 1344	2236	4e46a05d653ff89feac1faa4d55945eb_JaffaCakes118.exe	29
PID 2236 wrote to memory of 1344	2236	4e46a05d653ff89feac1faa4d55945eb_JaffaCakes118.exe	29
PID 2236 wrote to memory of 1344	2236	4e46a05d653ff89feac1faa4d55945eb_JaffaCakes118.exe	29
PID 1344 wrote to memory of 2172	1344	cmd.exe	30
PID 1344 wrote to memory of 2172	1344	cmd.exe	30
PID 1344 wrote to memory of 2172	1344	cmd.exe	30
PID 1344 wrote to memory of 2172	1344	cmd.exe	30
PID 1344 wrote to memory of 2740	1344	cmd.exe	31
PID 1344 wrote to memory of 2740	1344	cmd.exe	31
PID 1344 wrote to memory of 2740	1344	cmd.exe	31
PID 1344 wrote to memory of 2740	1344	cmd.exe	31
PID 1344 wrote to memory of 2780	1344	cmd.exe	33
PID 1344 wrote to memory of 2780	1344	cmd.exe	33
PID 1344 wrote to memory of 2780	1344	cmd.exe	33
PID 1344 wrote to memory of 2780	1344	cmd.exe	33
PID 1344 wrote to memory of 2768	1344	cmd.exe	34
PID 1344 wrote to memory of 2768	1344	cmd.exe	34
PID 1344 wrote to memory of 2768	1344	cmd.exe	34
PID 1344 wrote to memory of 2768	1344	cmd.exe	34
PID 1344 wrote to memory of 2728	1344	cmd.exe	35
PID 1344 wrote to memory of 2728	1344	cmd.exe	35
PID 1344 wrote to memory of 2728	1344	cmd.exe	35
PID 1344 wrote to memory of 2728	1344	cmd.exe	35
PID 1344 wrote to memory of 2800	1344	cmd.exe	36
PID 1344 wrote to memory of 2800	1344	cmd.exe	36
PID 1344 wrote to memory of 2800	1344	cmd.exe	36
PID 1344 wrote to memory of 2800	1344	cmd.exe	36
PID 1344 wrote to memory of 1724	1344	cmd.exe	39
PID 1344 wrote to memory of 1724	1344	cmd.exe	39
PID 1344 wrote to memory of 1724	1344	cmd.exe	39
PID 1344 wrote to memory of 1724	1344	cmd.exe	39
PID 1344 wrote to memory of 1996	1344	cmd.exe	40
PID 1344 wrote to memory of 1996	1344	cmd.exe	40
PID 1344 wrote to memory of 1996	1344	cmd.exe	40
PID 1344 wrote to memory of 1996	1344	cmd.exe	40
PID 1344 wrote to memory of 1924	1344	cmd.exe	41
PID 1344 wrote to memory of 1924	1344	cmd.exe	41
PID 1344 wrote to memory of 1924	1344	cmd.exe	41
PID 1344 wrote to memory of 1924	1344	cmd.exe	41
PID 1344 wrote to memory of 2440	1344	cmd.exe	42
PID 1344 wrote to memory of 2440	1344	cmd.exe	42
PID 1344 wrote to memory of 2440	1344	cmd.exe	42
PID 1344 wrote to memory of 2440	1344	cmd.exe	42
PID 1344 wrote to memory of 2644	1344	cmd.exe	43
PID 1344 wrote to memory of 2644	1344	cmd.exe	43
PID 1344 wrote to memory of 2644	1344	cmd.exe	43
PID 1344 wrote to memory of 2644	1344	cmd.exe	43
PID 1344 wrote to memory of 1664	1344	cmd.exe	44
PID 1344 wrote to memory of 1664	1344	cmd.exe	44
PID 1344 wrote to memory of 1664	1344	cmd.exe	44
PID 1344 wrote to memory of 1664	1344	cmd.exe	44
PID 1344 wrote to memory of 2152	1344	cmd.exe	45
PID 1344 wrote to memory of 2152	1344	cmd.exe	45
PID 1344 wrote to memory of 2152	1344	cmd.exe	45
PID 1344 wrote to memory of 2152	1344	cmd.exe	45
PID 1344 wrote to memory of 264	1344	cmd.exe	46
PID 1344 wrote to memory of 264	1344	cmd.exe	46
PID 1344 wrote to memory of 264	1344	cmd.exe	46
PID 1344 wrote to memory of 264	1344	cmd.exe	46
PID 1344 wrote to memory of 868	1344	cmd.exe	47
PID 1344 wrote to memory of 868	1344	cmd.exe	47
PID 1344 wrote to memory of 868	1344	cmd.exe	47
PID 1344 wrote to memory of 868	1344	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\4e46a05d653ff89feac1faa4d55945eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e46a05d653ff89feac1faa4d55945eb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Luna__GTA_Launcher_Rockstar_Edition.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq GTA5.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\SysWOW64\findstr.exe
    findstr "GTA5.exe"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq launcher.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\SysWOW64\findstr.exe
    findstr "launcher.exe"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:2728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 15
    3⤵
    - Delays execution with timeout.exe
    PID:2800
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq GTA5.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\SysWOW64\findstr.exe
    findstr "GTA5.exe"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq launcher.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\SysWOW64\findstr.exe
    findstr "launcher.exe"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:2644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 15
    3⤵
    - Delays execution with timeout.exe
    PID:1664
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq GTA5.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\findstr.exe
    findstr "GTA5.exe"
    3⤵
    PID:264
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq launcher.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\SysWOW64\findstr.exe
    findstr "launcher.exe"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:632
- - C:\Windows\SysWOW64\timeout.exe
    timeout 15
    3⤵
    - Delays execution with timeout.exe
    PID:928
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq GTA5.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\SysWOW64\findstr.exe
    findstr "GTA5.exe"
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq launcher.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\SysWOW64\findstr.exe
    findstr "launcher.exe"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Luna__GTA_Launcher_Rockstar_Edition.bat

Filesize
4KB

MD5
23e2b3e0f516e9f59e1de5dde888c188

SHA1
499e8c8b4f0a175d0a1e54b62932b197b5abe822

SHA256
2be6713e465141b7aaa85a2a5b3489b0c4540b40e1af2b7b9e970e74fb179a56

SHA512
34058e5a174ef402bf95198ccffa2a475cde9b8e7cf87577cdca488e53ef64db00bbe162900a25796827be30636d7e8c31dadfa388a6b997588166ac35b165be

Download Submit
memory/1344-19-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1344-29-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2236-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download