9459494b3c8f75df77af009fc932af578cf48be615ecb43d912b172a940e84df

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 18:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe
Size

857KB
MD5

9f1a62a284edc47204e9ada51987950d
SHA1

6960774c96ae01c874a2280a4dc3067cc2875e72
SHA256

9459494b3c8f75df77af009fc932af578cf48be615ecb43d912b172a940e84df
SHA512

7b8f3e25c3b9e34d20c3a6369ba188652e1bbfc83505e89d20f57da87d7d1fd019c4a2913548e0a742cc2f0972c1115bfc420aeb02745077566712eb4140bd7a
SSDEEP

24576:q5b77TXJhDWwl+DFID5r4ZhyMGmzjZnjJIexOLFLTNkdBAnlrMjW:CHTJhDTluFIChyMGmzjZnjJIexOLF1kh

Score

9^/10

persistence upx

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/632-6-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
632	fjhuw23_1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000f000000023244-3.dat	upx
behavioral2/memory/632-4-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/632-6-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uejslt = "C:\\Windows\\uejslt.exe"	9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\uejslt.exe	9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe
File opened for modification	C:\Windows\uejslt.exe	9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 632	392	9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe	92
PID 392 wrote to memory of 632	392	9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe	92
PID 392 wrote to memory of 632	392	9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f1a62a284edc47204e9ada51987950d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\fjhuw23_1.exe
  C:\Users\Admin\AppData\Local\Temp\fjhuw23_1.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\gfwyio_1.txt
  2⤵
  - Executes dropped EXE
  PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3496 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjhuw23_1.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfwyio_1.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
memory/632-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/632-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads