8f0c3c7503e686f28d3cfeaaaffcbf1152f0a46c9a5968b694c487d9e8e7c441

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe
Size

61KB
MD5

0f62bd0262468d92e6e09b81b2779ac8
SHA1

b54e505344e3447c2cde3cd5ee4abd0aee3d8c66
SHA256

8f0c3c7503e686f28d3cfeaaaffcbf1152f0a46c9a5968b694c487d9e8e7c441
SHA512

950a537e9a021524a5f38f6598f11f46b437d0b30d70187c0137434f7602a3a6168c4ad5a50fbb60092771d3dc4845f7a074c2494a4055e25249970b8ce1d022
SSDEEP

768:piExqgQCzrBjr4+uYpUwVG/vHNLyty5ynFzbjivumZurBweqSXH/S+WkDlUL3428:QExqgQRVxyc5QyR4mL+dDlaI2kSUzt

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1840	9491.exe
2568	5172.exe
2484	Svchosts.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001416f-13.dat	upx
behavioral1/memory/2568-16-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2276-14-0x00000000001B0000-0x00000000001D2000-memory.dmp	upx
behavioral1/memory/2568-20-0x0000000000220000-0x0000000000242000-memory.dmp	upx
behavioral1/memory/2484-31-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2568-37-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-39-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-40-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-41-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-42-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-43-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-44-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-45-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-46-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-47-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-48-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-49-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-50-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-51-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2484-52-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchosts.exe = "Svchosts.exe"	5172.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchosts.exe = "Svchosts.exe"	Svchosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Svchosts.exe	5172.exe
File opened for modification	C:\Windows\Svchosts.exe	5172.exe
File created	C:\Windows\Deleteme.bat	5172.exe
File created	C:\Windows\9491.exe	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe
File created	C:\Windows\5172.exe	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	5172.exe
2568	5172.exe
2568	5172.exe
2568	5172.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe
2484	Svchosts.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1840	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1840	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1840	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1840	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2568	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2568	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2568	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	29
PID 2276 wrote to memory of 2568	2276	0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2484	2568	5172.exe	30
PID 2568 wrote to memory of 2484	2568	5172.exe	30
PID 2568 wrote to memory of 2484	2568	5172.exe	30
PID 2568 wrote to memory of 2484	2568	5172.exe	30
PID 2568 wrote to memory of 1280	2568	5172.exe	31
PID 2568 wrote to memory of 1280	2568	5172.exe	31
PID 2568 wrote to memory of 1280	2568	5172.exe	31
PID 2568 wrote to memory of 1280	2568	5172.exe	31

C:\Users\Admin\AppData\Local\Temp\0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f62bd0262468d92e6e09b81b2779ac8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\9491.exe
  C:\Windows\9491.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\5172.exe
  C:\Windows\5172.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Svchosts.exe
    C:\Windows\Svchosts.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\Deleteme.bat
    3⤵
    PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\5172.exe

Filesize
42KB

MD5
f447a4170493503509ded00c74b17337

SHA1
acaba6230efe7464480ffb5c99f73a3280405a69

SHA256
06a62de03fa0c771b7420336efd0abd7e479c8c63a0e99dfe5ea20d5e0357c6a

SHA512
0f354045ddb23ab6684658b37a2d9b94c7ed60fcf225338fc2b8bf89e591dde08dd1a5ca2bfac75181e7e57969ccc9526fb61a00bd52fb4ea0788c17912f0706

Download Submit
C:\Windows\9491.exe

Filesize
512B

MD5
6285aa4f0b159d742ec10a07c06e6862

SHA1
dfb31a831a7a72524d0c94952be06792a03bb257

SHA256
c442dc95d0b86cd8db35acfd645b6836818419295464414077491b9adb889cc5

SHA512
51a6dbc2681147672f5c3c1f63c1511ac90dc9e803dfc7597ebeddacbab063500dd440a4672f28d96c58d3778d48dbae2f18b226197aabaa771e581a2661c093

Download Submit
C:\Windows\Deleteme.bat

Filesize
82B

MD5
c86f9c3b5ee3d9cb32fb093ce6cb9297

SHA1
7da81d254524244860ba1e143824ddff05ee1bb7

SHA256
0ce3d736122168430f8581d5fb86ece6882b1b9d089fcb2c8cac90159d64f5d5

SHA512
04cbc6db5bee968aa9ad91039b2dd093693b301f803a175d69988c755a4372adfa173f1507abe53cc6ec06263c0db1d89509d1e415c17f780f0954f6bfe815a3

Download Submit
memory/1840-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2276-36-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2276-2-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2276-14-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/2276-15-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/2484-41-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-43-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-31-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-52-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-39-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-40-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-50-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-42-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-44-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-45-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2484-48-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2568-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2568-20-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/2568-27-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/2568-37-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download