305f2c715eea5f2f48f0e1720ca3c36db250d28b8a4f8d5aa35d9f483882af69

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe
Size

193KB
MD5

af640c9a451dd817b9a9370cf5ed27f6
SHA1

8d9417a0292312f1108218e9f1456a672311c24b
SHA256

305f2c715eea5f2f48f0e1720ca3c36db250d28b8a4f8d5aa35d9f483882af69
SHA512

a69b593e3f1e275d71a4c3211fe2e18134622d2a9d21a9ccce5d27b4e93ce76bb69a74d3e07885e522c3df10d63559f15d7fd9f32dfa9d4c220dfd2c704564d0
SSDEEP

3072:EUQBVYncVJdFSADxxeMEnY6m/POF+9fSER3CQG2CHOt0wPVYHFwa2gZ93:7BwJlxYnY6m/WF+9f3hG2COt0wPI2mF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-2-0x00000000001D0000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/1704-0-0x00000000001D0000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/2008-4-0x00000000001D0000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/1704-7-0x00000000001D0000-0x000000000024D000-memory.dmp	upx

Delays execution with timeout.exe 30 IoCs

evasion

pid	Process
2272	timeout.exe
2704	timeout.exe
2772	timeout.exe
2576	timeout.exe
2540	timeout.exe
1396	timeout.exe
2792	timeout.exe
2556	timeout.exe
2580	timeout.exe
2752	timeout.exe
2696	timeout.exe
2544	timeout.exe
2660	timeout.exe
2796	timeout.exe
2720	timeout.exe
2916	timeout.exe
2676	timeout.exe
3008	timeout.exe
2992	timeout.exe
2220	timeout.exe
2684	timeout.exe
2644	timeout.exe
2740	timeout.exe
2808	timeout.exe
2832	timeout.exe
2828	timeout.exe
2360	timeout.exe
2700	timeout.exe
2600	timeout.exe
2348	timeout.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2008	1704	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2008	1704	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2008	1704	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2008	1704	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2008	1704	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2008	1704	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2008	1704	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	28
PID 2008 wrote to memory of 3016	2008	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	29
PID 2008 wrote to memory of 3016	2008	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	29
PID 2008 wrote to memory of 3016	2008	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	29
PID 2008 wrote to memory of 3016	2008	af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2828	3016	cmd.exe	31
PID 3016 wrote to memory of 2828	3016	cmd.exe	31
PID 3016 wrote to memory of 2828	3016	cmd.exe	31
PID 3016 wrote to memory of 2828	3016	cmd.exe	31
PID 3016 wrote to memory of 2720	3016	cmd.exe	32
PID 3016 wrote to memory of 2720	3016	cmd.exe	32
PID 3016 wrote to memory of 2720	3016	cmd.exe	32
PID 3016 wrote to memory of 2720	3016	cmd.exe	32
PID 3016 wrote to memory of 2360	3016	cmd.exe	33
PID 3016 wrote to memory of 2360	3016	cmd.exe	33
PID 3016 wrote to memory of 2360	3016	cmd.exe	33
PID 3016 wrote to memory of 2360	3016	cmd.exe	33
PID 3016 wrote to memory of 2684	3016	cmd.exe	34
PID 3016 wrote to memory of 2684	3016	cmd.exe	34
PID 3016 wrote to memory of 2684	3016	cmd.exe	34
PID 3016 wrote to memory of 2684	3016	cmd.exe	34
PID 3016 wrote to memory of 2644	3016	cmd.exe	35
PID 3016 wrote to memory of 2644	3016	cmd.exe	35
PID 3016 wrote to memory of 2644	3016	cmd.exe	35
PID 3016 wrote to memory of 2644	3016	cmd.exe	35
PID 3016 wrote to memory of 2740	3016	cmd.exe	36
PID 3016 wrote to memory of 2740	3016	cmd.exe	36
PID 3016 wrote to memory of 2740	3016	cmd.exe	36
PID 3016 wrote to memory of 2740	3016	cmd.exe	36
PID 3016 wrote to memory of 2752	3016	cmd.exe	37
PID 3016 wrote to memory of 2752	3016	cmd.exe	37
PID 3016 wrote to memory of 2752	3016	cmd.exe	37
PID 3016 wrote to memory of 2752	3016	cmd.exe	37
PID 3016 wrote to memory of 2796	3016	cmd.exe	38
PID 3016 wrote to memory of 2796	3016	cmd.exe	38
PID 3016 wrote to memory of 2796	3016	cmd.exe	38
PID 3016 wrote to memory of 2796	3016	cmd.exe	38
PID 3016 wrote to memory of 2916	3016	cmd.exe	39
PID 3016 wrote to memory of 2916	3016	cmd.exe	39
PID 3016 wrote to memory of 2916	3016	cmd.exe	39
PID 3016 wrote to memory of 2916	3016	cmd.exe	39
PID 3016 wrote to memory of 2696	3016	cmd.exe	40
PID 3016 wrote to memory of 2696	3016	cmd.exe	40
PID 3016 wrote to memory of 2696	3016	cmd.exe	40
PID 3016 wrote to memory of 2696	3016	cmd.exe	40
PID 3016 wrote to memory of 2540	3016	cmd.exe	41
PID 3016 wrote to memory of 2540	3016	cmd.exe	41
PID 3016 wrote to memory of 2540	3016	cmd.exe	41
PID 3016 wrote to memory of 2540	3016	cmd.exe	41
PID 3016 wrote to memory of 2272	3016	cmd.exe	42
PID 3016 wrote to memory of 2272	3016	cmd.exe	42
PID 3016 wrote to memory of 2272	3016	cmd.exe	42
PID 3016 wrote to memory of 2272	3016	cmd.exe	42
PID 3016 wrote to memory of 2700	3016	cmd.exe	43
PID 3016 wrote to memory of 2700	3016	cmd.exe	43
PID 3016 wrote to memory of 2700	3016	cmd.exe	43
PID 3016 wrote to memory of 2700	3016	cmd.exe	43
PID 3016 wrote to memory of 1396	3016	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe" /C175F064-D79F-43E9-B062-DC85EDDBAEA1 /WaitEventName={CDB9782D-764E-4BCF-B44E-3EFA8515038C}
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    /U /C "for /L %A in (1, 1, 30) do timeout /T 1 /NOBREAK >NUL & @del "C:\Users\Admin\AppData\Local\Temp\af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe" 2>NUL & @if not exist "C:\Users\Admin\AppData\Local\Temp\af640c9a451dd817b9a9370cf5ed27f6_JaffaCakes118.exe" @exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2360
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2752
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2696
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2540
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2272
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:1396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2832
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2576
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:3008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 1 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1704-1-0x0000000000250000-0x00000000002CD000-memory.dmp

Filesize
500KB

Download
memory/1704-0-0x00000000001D0000-0x000000000024D000-memory.dmp

Filesize
500KB

Download
memory/1704-7-0x00000000001D0000-0x000000000024D000-memory.dmp

Filesize
500KB

Download
memory/2008-2-0x00000000001D0000-0x000000000024D000-memory.dmp

Filesize
500KB

Download
memory/2008-4-0x00000000001D0000-0x000000000024D000-memory.dmp

Filesize
500KB

Download