f9934e8e4104400baacd0b31891c3df7557a3283a443804c3cf6c43d3e378510

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe
Size

2.3MB
MD5

0ffbcee06e2f5040d464bcff95cd4d60
SHA1

ae3c65c54c602255359ba660a83545bcd94bda7a
SHA256

f9934e8e4104400baacd0b31891c3df7557a3283a443804c3cf6c43d3e378510
SHA512

631b9d251ed9477683e3406083cbe1fc27e0597f00788b7a127d2192bc727ca8b9cf5bc63ce6f6694710d7a7b254ce6fcb9b729e33472a62644e8c433be705ff
SSDEEP

49152:kuzFZ/0rAkC2Ct4BUZ3xu+JOkCw+VGtdrHJeKvgy:k+FerZC2CpZ3xu+BQSdjvz

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2032	svchost.exe
2984	0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe
2676	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	svchost.exe
2032	svchost.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000016591-10.dat	upx
behavioral1/memory/2984-19-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-260-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-264-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-266-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-268-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-270-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-274-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-276-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-278-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-280-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-282-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-284-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-286-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-288-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2984-290-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ReadBlock.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2984	0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2032	2068	0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2032	2068	0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2032	2068	0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2032	2068	0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2984	2032	svchost.exe	29
PID 2032 wrote to memory of 2984	2032	svchost.exe	29
PID 2032 wrote to memory of 2984	2032	svchost.exe	29
PID 2032 wrote to memory of 2984	2032	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2984

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\1.JAR.SFX

Filesize
33KB

MD5
1c261f0a1bb4aceaa042f32eb06c730e

SHA1
8642005daea0a11facbe55b28e7692f042a3e418

SHA256
2bf1f7fd276754a80f6b4cc2ccf28ccc81384dade84ea112cad6d88cbf8ca960

SHA512
02b28efe12500f892e2615f34833046bfeeaa3b0b9b310d7f9771cfd1b6eea60327e3ffaa1312cede3e77a592616939af4cebf33124e315d574565ce14572367

Download Submit
C:\Windows\Temp\Setup.ini

Filesize
3KB

MD5
70168d17ba045b3e97c3997b12c42c70

SHA1
1e948fe76bc2ffa3abdf4a138e47117b119e6970

SHA256
d75d58faf963656be4ac2bbd0c410c22f46ddb665f621d44b23c716da88026ec

SHA512
3405c0529e4fea629448163be89dcfaf4b33f598795750b215e2ebf85eb4084f772d78403f01613807ca159206f36f6b2981180c1a294f42a70e6b59a6cb8071

Download Submit
C:\Windows\Temp\Setup.txt

Filesize
452B

MD5
e76ce5db2129735978115df41ba57f89

SHA1
41277c5bbd841e983dac2dbda199adad4d5e93a9

SHA256
bcf15fbcc373c27b89a80e8f2ebb95f804c336c8d40116141c7088b64084879c

SHA512
93dec6def6fb4ce3173a1f09dd39f78cb1ae7b39d88081a2eae7f3f1a824bc3c7ba009f866147486ef07fe6a02a8bdbe9edd4c4b9dccf93a9a7931dabe360849

Download Submit
C:\Windows\Temp\Switch Off computer in network.dl3

Filesize
15KB

MD5
6d3dcdce95d96d9a9e5e8f6f3cf778a9

SHA1
1b2b8fac4696083dd7b6e25740f523513602fcce

SHA256
5123d55e3f4f07d18ae48bd17ab5ee28b18c624270b0ff262fb14b4b1b6a50df

SHA512
1dc1e90b686d3f1e1aa29d0789243e79c55fbd797249f9e1ea197f752f505358f6c50d3e6cf09be96fa172db1d723083a1d2a018c246cd5584b9580ec2fa9931

Download Submit
C:\Windows\Temp\Ïàíåëü óïðàâëåíèÿ.dl3

Filesize
9KB

MD5
ff7781932f63a525f5fc2db93f28bfcd

SHA1
00ee8ab0071406d11583fe0c618e1ba3da2fe24d

SHA256
6274266031f1e423c9c8d8d3ca160b6b77dd8aaaf83f2490bfce2d62d7d0ad9b

SHA512
52d1d3e9ca9daa0c9912de3593ef2b0f39a8c51092673c52207072ebc99285dbe8aba8f53996b3989fb8c9271aee47b720628edd100f3f76c94fac0f7778b418

Download Submit
C:\Windows\Temp\Ïàðàìåòðû ñèñòåìû.dl3

Filesize
15KB

MD5
2773824289eb26d464a516607ac0b22f

SHA1
6ed3ca9a009d2e2d53fbe077ba07beaec416263d

SHA256
253dca382a1e1f75b2349907348c7f62fc23c7e3b307cdab998ce98beae9d3e7

SHA512
ed81b4390b81d6a4e314d9418bbc1ec534c69e8b8a3bb7f6983f87d9e0e2eba9fabe864bc372dcd1d73f5110380c963d9ebd6a8310f97f4988423b01c08100a1

Download Submit
C:\Windows\Temp\Óñòàíîâêà è óäàëåíèå ïðîãðàìì.dl3

Filesize
9KB

MD5
e29aa1672148ae82ed082dc22cae0ff2

SHA1
446fceee1b195b77d67be958e7f9beb161814942

SHA256
276e7f530771e0c2d6d70e08b880cdd96b49176c4d165ab93b26478032baad91

SHA512
39419259aa70596e2f90c19df9407c78d77953aa89f89e1cba543972f8082ec6c3fb4821d64eae071ef44cb8b618db00ec86428c904344a55c48f18f6e3b7e80

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\0ffbcee06e2f5040d464bcff95cd4d60_JaffaCakes118.exe

Filesize
2.3MB

MD5
d72bd058af4225304c130ccc30472c67

SHA1
654c3846145b4f4409e35f292bd883ef69730a58

SHA256
bd1edcda1022456ab38c50e30104dc7ec744902048c80cbff317975eb54c48a2

SHA512
7478491a03f561577e949bfb15d63dc6e918598cd277881dac0688717dbc4672f0732cf7f2348d9f9d4976fdd1a563d9727c3d99c74f8a263e72923e965b47a9

Download Submit
memory/2032-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2032-17-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2032-18-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2068-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2676-261-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2676-285-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2984-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-266-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-268-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-276-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-278-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-282-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-288-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-290-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download