ce68e235daa90df78771b927563fc502339dca64f9d42b3c5e267269677f3e6d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe
Size

218KB
MD5

052311dffac8320b2b7c635dd7ad4e16
SHA1

5b11cec12f8c398fbe0b6cdf5f7e2b5801b54f4b
SHA256

ce68e235daa90df78771b927563fc502339dca64f9d42b3c5e267269677f3e6d
SHA512

366f5d211d7e4e7249a6ab3018b4957fb5e4623b30e6b2b9196ab9d89f171dc5afc944af4aded1e0740e28cf22d30a1b3a1ac47630018bfa2fc1fedf72578d1d
SSDEEP

3072:zYiTpXEq7ndNiDDdwcwqKSncs4lzB8JqHPkbkehTU3ZKsPbi5mEA:zYsrnLiDDKTs4lOJqHPSIZ7ILA

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	Output.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe
2192	052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0035000000014171-3.dat	upx
behavioral1/memory/1688-13-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2192-10-0x0000000002560000-0x0000000002584000-memory.dmp	upx
behavioral1/memory/1688-23-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1688	2192	052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe	28
PID 2192 wrote to memory of 1688	2192	052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe	28
PID 2192 wrote to memory of 1688	2192	052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe	28
PID 2192 wrote to memory of 1688	2192	052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\052311dffac8320b2b7c635dd7ad4e16_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Output.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Output.exe"
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FP12F4.tmp

Filesize
169B

MD5
3fd9085076fcab23c613fc049af716dc

SHA1
40d1f2e833b2e6503152ff9ce68bfbe8282c5913

SHA256
ba0b9932e32ea5ba8594833fb9e0d1d27a80d9640daab131d58a669ed268e128

SHA512
0d2aa5a04882fa7e39ca4805fde5337cf61f10f0a81115b06399c00d5910319c0230d142687f6e706bd853ec2066e94978943ee7c7b9e8ff6a359789fdadcd81

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Output.exe

Filesize
46KB

MD5
4c86c74ed4a0751f7dba37b7cb065585

SHA1
660eb0cb02607d18bf357a4859ae23ed8a9c89d6

SHA256
2508a065bddcc2cc002b3c825a8fd5f4dd1938690198d06ac8ec5fb769729254

SHA512
7b82f1e7d2ac51a362c1a9aa2c7ea0e6b1995ab86956b4112df050355976a661a627ce09b0f723432b3c7acdf4fd09fda2242a3157edeb401ea8f05505cbf49a

Download Submit
memory/1688-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1688-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2192-11-0x0000000002560000-0x0000000002584000-memory.dmp

Filesize
144KB

Download
memory/2192-10-0x0000000002560000-0x0000000002584000-memory.dmp

Filesize
144KB

Download