4858fce651b6dbc5e152defc966f0918dcec038dce8c3ff52fdee65a38d3ce7e

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe
Size

12KB
MD5

007dd47186edcfe4a5757913c4bfe481
SHA1

beb01f90ce78e0a0464b8b7283e73e0f27df9ba7
SHA256

4858fce651b6dbc5e152defc966f0918dcec038dce8c3ff52fdee65a38d3ce7e
SHA512

fbf5b5b1c3b7d0291dac2382e884212638a1ef58af7ff7b19e18c1103f433089cacc98ae5362bed66396cae25fdf685d424c131fc62650d46fa29eeef002fd36
SSDEEP

192:e/VBC1TSBUFg+y12gDY3c6d2efUtBpd+IWZC9OX0TIGcyeD+:e/7WTSBv+y0gDH6gzL+IUrX2Ncy6+

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
3852	thermaltinck.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4516-1-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0008000000023588-4.dat	upx
behavioral2/memory/3852-5-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4516-9-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3852-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\thermaltinc.dll	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\thermaltinck.exe	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\thermaltinck.exe	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe
4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3852	4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe	89
PID 4516 wrote to memory of 3852	4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe	89
PID 4516 wrote to memory of 3852	4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe	89
PID 4516 wrote to memory of 4040	4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe	90
PID 4516 wrote to memory of 4040	4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe	90
PID 4516 wrote to memory of 4040	4516	007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\thermaltinck.exe
  C:\Windows\system32\thermaltinck.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe.bat
  2⤵
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\007dd47186edcfe4a5757913c4bfe481_JaffaCakes118.exe.bat

Filesize
210B

MD5
728ddff74cf468bcf7fc6604211abe82

SHA1
758a6a1e3f219e59c8675af676732dd06b5b39c2

SHA256
23b20893b43db52bc84f369b38285c81bcbeebc26fc4a1810dd6d68e9aa3c621

SHA512
88c04bf6616e583f747717aa0b12d2cced7d5750463db16d884dba95ee53a0c4824bad6a5633cffec82bc4a35e29c49a472231eae2cce58ac701591a05655a58

Download Submit
C:\Windows\SysWOW64\thermaltinck.exe

Filesize
12KB

MD5
007dd47186edcfe4a5757913c4bfe481

SHA1
beb01f90ce78e0a0464b8b7283e73e0f27df9ba7

SHA256
4858fce651b6dbc5e152defc966f0918dcec038dce8c3ff52fdee65a38d3ce7e

SHA512
fbf5b5b1c3b7d0291dac2382e884212638a1ef58af7ff7b19e18c1103f433089cacc98ae5362bed66396cae25fdf685d424c131fc62650d46fa29eeef002fd36

Download Submit
memory/3852-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3852-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4516-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4516-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download