bc2e18feb6393eaf30cd03cda9bd9f00ca431b4124ed3791612c6e2d620d1799

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe
Size

392KB
MD5

0f03f8c99e8a1c9f79799bd7ae0b4aaf
SHA1

48bfd094207de116f578a7340f5804607556ce14
SHA256

bc2e18feb6393eaf30cd03cda9bd9f00ca431b4124ed3791612c6e2d620d1799
SHA512

1de3e4ff3aa152d74e1e943312b4f793549dc1bc9e2a81177d91995489cf7dc20031e7e0d1684022c38c06b0298bcbc40a23958dca2853f2ce2a44ef6aa9dc67
SSDEEP

6144:Ti1TOUzVPilUt6tE/K2fa7/3bCd9iPv9USgzUIHdbTuLC42DpFJ5FgzEx:T2TOQilUtZKwgvbQiP9cl4OJXgK

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	bI06511IjDaD06511.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	bI06511IjDaD06511.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe
2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2024-17-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2608-25-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2608-29-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2608-38-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bI06511IjDaD06511 = "C:\\ProgramData\\bI06511IjDaD06511\\bI06511IjDaD06511.exe"	bI06511IjDaD06511.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	bI06511IjDaD06511.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe
Token: SeDebugPrivilege	2608	bI06511IjDaD06511.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2608	bI06511IjDaD06511.exe
2608	bI06511IjDaD06511.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2608	2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2608	2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2608	2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2608	2024	0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\ProgramData\bI06511IjDaD06511\bI06511IjDaD06511.exe
  "C:\ProgramData\bI06511IjDaD06511\bI06511IjDaD06511.exe" "C:\Users\Admin\AppData\Local\Temp\0f03f8c99e8a1c9f79799bd7ae0b4aaf_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bI06511IjDaD06511\bI06511IjDaD06511

Filesize
192B

MD5
6cea244d6f9892e75bf1e63fa73c06d4

SHA1
61520c65d7c2d0d179959df9edad30a8ef72a5d6

SHA256
6d3d315b44eeac4f22dfffb17e5b1052c2dc20d4a7165808488844d950ca6da8

SHA512
b36f0f8cd7205f1467224dac8b3639d904705735844183d88537f6f4796db8ca685718ee7aedca5b6c3416ec544bce2edaac4a2027b682931a08f56be368bb5e

Download Submit
\ProgramData\bI06511IjDaD06511\bI06511IjDaD06511.exe

Filesize
392KB

MD5
eb0bdf00a751b89f14b68d5c57922203

SHA1
5e24ea2a6efd90e8650fd2bc6f39ae989a14a115

SHA256
d37a27decf4e3aee931121253872a3c02142268b71c51e557dba89f7fe91ea57

SHA512
a25050306631caa0ec8ea1aaf2553b025d9fa6a746d204dac0ac70b9079fce575ab24bb933edcec49ce0438e9fb447efd94ea5d43b3438bd5acc4708247f1ac9

Download Submit
memory/2024-0-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2024-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2024-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2608-19-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2608-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2608-29-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2608-38-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download