61b97e9e723e86c92b4dadd99394963d49089919bc2deb056907b74837f098fd

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
Size

734KB
MD5

05e4a3f1426092bb38bd1fe4caff6e5e
SHA1

8d9effcc9b6cca53318d292b679b5278f24fe21d
SHA256

61b97e9e723e86c92b4dadd99394963d49089919bc2deb056907b74837f098fd
SHA512

a8c23db4f0b7829cf753407d3ac67a0052734f4a3bf7721bdc0c4afae22dec73a3308684812d4ef6cf174f104b9a4dfda647ef97335986ccb05139dc223fce0a
SSDEEP

12288:caekfW9UumdR1c+1SbpqDJ8TCqK3S8ILUytT32OD/91l8AnBjfJr5qbwNauP2hW4:c62UumVcbklh4w232Oh1uAnt15qnuP2z

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	AutoUpdate.exe

Loads dropped DLL 4 IoCs

pid	Process
2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
3052	AutoUpdate.exe
3052	AutoUpdate.exe
3052	AutoUpdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-0-0x0000000000400000-0x00000000009AB000-memory.dmp	upx
behavioral1/memory/2452-13-0x0000000000400000-0x00000000009AB000-memory.dmp	upx
behavioral1/memory/2528-15-0x0000000000400000-0x00000000009AB000-memory.dmp	upx
behavioral1/memory/2528-18-0x0000000000400000-0x00000000009AB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3052	AutoUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
2528	05E4A3~1.EXE
2528	05E4A3~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 3052	2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	28
PID 2452 wrote to memory of 3052	2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	28
PID 2452 wrote to memory of 3052	2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	28
PID 2452 wrote to memory of 3052	2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	28
PID 2452 wrote to memory of 3052	2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	28
PID 2452 wrote to memory of 3052	2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	28
PID 2452 wrote to memory of 3052	2452	05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe	28
PID 3052 wrote to memory of 2528	3052	AutoUpdate.exe	30
PID 3052 wrote to memory of 2528	3052	AutoUpdate.exe	30
PID 3052 wrote to memory of 2528	3052	AutoUpdate.exe	30
PID 3052 wrote to memory of 2528	3052	AutoUpdate.exe	30
PID 3052 wrote to memory of 2528	3052	AutoUpdate.exe	30
PID 3052 wrote to memory of 2528	3052	AutoUpdate.exe	30
PID 3052 wrote to memory of 2528	3052	AutoUpdate.exe	30

C:\Users\Admin\AppData\Local\Temp\05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05e4a3f1426092bb38bd1fe4caff6e5e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoUpdate.exe" http://lookpcik.com:90/serverlist.txt C:\Users\Admin\AppData\Local\Temp\05E4A3~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\05E4A3~1.EXE
    "C:\Users\Admin\AppData\Local\Temp\05E4A3~1.EXE" mudum
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AutoUpdate.exe

Filesize
1.0MB

MD5
ca999433f282a93a69ed38f68d1f170f

SHA1
d3388ca18f0a64867912465a84771cccb6622ea4

SHA256
ca3df853d83d23c03d347388e237cf0579e7984e7280459a1784d25ed7eb3962

SHA512
a28215d61358635ae8e3750c0cc5314f19febd7d60ed27666d02522a7a568f36f368c292098ed56b701e438a820c5a308709ad87cabe1334a7061dd95034d92c

Download Submit
memory/2452-0-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/2452-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2452-13-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-15-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-16-0x0000000000EB0000-0x000000000145B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-17-0x0000000000EB0000-0x000000000145B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-18-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-20-0x0000000000EB0000-0x000000000145B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-21-0x0000000000EB0000-0x000000000145B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-14-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download