639702fed8df06be7ecaa8ca11b2a6d479703969764a06d0ebec2fecc4a2f9f7

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe
Size

45KB
MD5

0838e1c7873b1595aa6e1cf1f1299e86
SHA1

7baa45fcaf8a54213d1b4dad3713bbc2858a2a4e
SHA256

639702fed8df06be7ecaa8ca11b2a6d479703969764a06d0ebec2fecc4a2f9f7
SHA512

ecfd20522481f4f420521f0c8ff7f3c83cffde35125549230eb4ee2ffca56f9a62d09cbad53059e3db48138c589e8b01468da188dd6dd9bab6f8bfe9f730963d
SSDEEP

768:ICgTOs6gAVJbUAxY4sVhCvbuq/fJScnq+sym1rwiUXX7+ecJDR7:ZgTOsNybtY4sVoiq/fznK11rJKgJDR7

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3036	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
3036	rundll32.exe
3036	rundll32.exe
3036	rundll32.exe
3040	Rundll32.exe
3036	rundll32.exe
3040	Rundll32.exe
3040	Rundll32.exe
3040	Rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/996-2-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/996-4-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS2011HELPER = "RUNDLL32.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\MS2011Helper.DLL,w"	Rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	Rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 3040	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	28
PID 996 wrote to memory of 3040	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	28
PID 996 wrote to memory of 3040	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	28
PID 996 wrote to memory of 3040	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	28
PID 996 wrote to memory of 3040	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	28
PID 996 wrote to memory of 3040	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	28
PID 996 wrote to memory of 3040	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	28
PID 996 wrote to memory of 3036	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	29
PID 996 wrote to memory of 3036	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	29
PID 996 wrote to memory of 3036	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	29
PID 996 wrote to memory of 3036	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	29
PID 996 wrote to memory of 3036	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	29
PID 996 wrote to memory of 3036	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	29
PID 996 wrote to memory of 3036	996	0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\\MS2011Helper.DLL,w
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:3040
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\MS2011Helper.DLL,SelfDelete C:\Users\Admin\AppData\Local\Temp\0838e1c7873b1595aa6e1cf1f1299e86_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MS2011Helper.DLL

Filesize
88KB

MD5
e028d4589f18c2f66c43bb3113c853f5

SHA1
f427084ac109c23c7b9db179739e61609a997cf2

SHA256
481c5257a9db8c4f6a8deecffdc9bd549001f696f85bf799afb8a8a8d9ff99e2

SHA512
b67be5042c76eaa6f1326983432c576daa3f9251e63737c38e69af945cae1b4e10d10443f672855aad2c97909d7c92f02c1d54356efec46296a2d289f4f98ad8

Download Submit
memory/996-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/996-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads