6ab197af1e45620915b1f33246bbafce19ca2fedbdab8299e6c6d1022d7d2d7f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 09:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
Size

264KB
MD5

04b92490d7faa40784fef1782d82e920
SHA1

bab948128b3e377cd7fb56b18a9d8152f554183d
SHA256

6ab197af1e45620915b1f33246bbafce19ca2fedbdab8299e6c6d1022d7d2d7f
SHA512

f78d849a34f1f74246a5a3c66b4981fb43c949fde3f2e1e3eefbf789e0efd71f3ed57977ecf591529ecf5c49a3d211b1cbaae2d75675e62cd47ab713a75c961b
SSDEEP

6144:I11no9UvEy4FzmIXNYibNZu+RU+eOQjAYL2j:krvE1FzmIX6ipZu+eOlYL2j

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2064-4-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2064-6-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2064-7-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2064-18-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1164 set thread context of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 2064 set thread context of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 1164 wrote to memory of 2064	1164	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	84
PID 2064 wrote to memory of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86
PID 2064 wrote to memory of 1236	2064	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	86
PID 1236 wrote to memory of 3404	1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	56
PID 1236 wrote to memory of 3404	1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	56
PID 1236 wrote to memory of 3404	1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	56
PID 1236 wrote to memory of 3404	1236	04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\04b92490d7faa40784fef1782d82e920_JaffaCakes118.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-1-0x0000000000401000-0x00000000004FA000-memory.dmp

Filesize
996KB

Download
memory/1164-0-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1164-12-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/1236-15-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1236-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1236-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2064-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2064-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2064-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2064-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3404-19-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3404-20-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download