dc34ce6174d8ba90e00df8aebc520d433ad439a7d3cf764d94f65810cc3cbef4

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe
Size

291KB
MD5

093f7127e97bbc13aca42fa5d15827ba
SHA1

daf09345d3cf295d3c7136a81d9c4e18074dd140
SHA256

dc34ce6174d8ba90e00df8aebc520d433ad439a7d3cf764d94f65810cc3cbef4
SHA512

a55762d5b297de59d9191bc32787ef25f1868c6d7475e779c56bdacf4d6d997f2a98ae642962facb4282a8685901ca84e5f57221a63846e1b52ccc2f98c7a20d
SSDEEP

6144:8Jlm2t+eM0cA5yDDZc9t1V5az8c4nDRVIAHu9vMzM:6ACF/ccyDN8R5nDRVIl9vM

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	svchost.com

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x0007000000012120-4.dat	upx
behavioral1/memory/2972-5-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2932-15-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2972-17-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2972-18-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2972-23-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe
File created	C:\Windows\svchost.com	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe
Token: SeDebugPrivilege	2972	svchost.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2972	svchost.com

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2660	2972	svchost.com	29
PID 2972 wrote to memory of 2660	2972	svchost.com	29
PID 2972 wrote to memory of 2660	2972	svchost.com	29
PID 2972 wrote to memory of 2660	2972	svchost.com	29
PID 2932 wrote to memory of 2704	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2704	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2704	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2704	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2704	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2704	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2704	2932	093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\093f7127e97bbc13aca42fa5d15827ba_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2704

C:\Windows\svchost.com
C:\Windows\svchost.com
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files\Internet ExpLORER\iexplore.exe
  "C:\Program Files\Internet ExpLORER\iexplore.exe"
  2⤵
  PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.com

Filesize
291KB

MD5
093f7127e97bbc13aca42fa5d15827ba

SHA1
daf09345d3cf295d3c7136a81d9c4e18074dd140

SHA256
dc34ce6174d8ba90e00df8aebc520d433ad439a7d3cf764d94f65810cc3cbef4

SHA512
a55762d5b297de59d9191bc32787ef25f1868c6d7475e779c56bdacf4d6d997f2a98ae642962facb4282a8685901ca84e5f57221a63846e1b52ccc2f98c7a20d

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
4ad78278fef236b652fa728c586a34cf

SHA1
a87e1c7e5151f9bc75002319c1b2ebd74692e20c

SHA256
16a8d3715cf91a23d180d410cb0a8b70ac57557fc4579d5548948260e0b7816d

SHA512
eea35e381716c61a52aee92a5d91532052a82e1f1eadff4b134e825c3b6cce64af3d36126e1744b1e87e91a17aa4f1773b3c464163477f45729d6d4c9ce36141

Download Submit
memory/2932-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2932-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2932-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2972-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2972-5-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2972-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2972-18-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2972-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2972-23-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download