6ec4bb5310f29793bb191342c1ad0e5ff3a424a5288af14d59c1cf166f22ea4d

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
Size

364KB
MD5

14cdf64a2751141e09966d0a9b998562
SHA1

37b43095e69c78c849adb969a039ed2ade960696
SHA256

6ec4bb5310f29793bb191342c1ad0e5ff3a424a5288af14d59c1cf166f22ea4d
SHA512

dd3de45c1c11e70a85b0fa655287a606966d87e6a3dc16c3f5840f82a1adccf9fe2fb9e83c5831d562702093fa83fca850807f87fdc804e56b4d9be11b57523e
SSDEEP

6144:mBMTvQEYBpy8wLY/5fxpKfS7YURZlO52/DxSVeHSl8dXnll1:+rpSOzOEBE2/DIohpll

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-1-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2024-3-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2024-4-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2024-5-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2024-6-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2056-21-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2056-22-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2056-24-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2024-25-0x0000000000400000-0x00000000004EB000-memory.dmp	upx
behavioral1/memory/2024-36-0x0000000000400000-0x00000000004EB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\14cdf64a2751141e09966d0a9b998562_JaffaCakes118 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe"	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2056	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2056	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2056	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
Token: SeDebugPrivilege	2056	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2056	2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2056	2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2056	2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2056	2024	14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14cdf64a2751141e09966d0a9b998562_JaffaCakes118.exe" BOMBARDAMAXIMUM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\14cdf64a2751141e09966d0a9b998562_JaffaCakes118

Filesize
192B

MD5
2bde8ace3cb8d3072fc24b5e754390b4

SHA1
d86fc79810ff364a4d2f04339b24026ec980dd35

SHA256
1c2a09ad109fc49085b7d23a38d02034e75e5bb9ee8891f38b66269fc9ce31a9

SHA512
bb88eb40a19e6a25e657e3bd061a31ab6ea5d83ee32c7ed1ed43ca008d6f5d7a0c27e059683515f2a5cbcbca36f2f7d3ead649b5e9d62e5f0fcafd6e1f3283ce

Download Submit
C:\ProgramData\14cdf64a2751141e09966d0a9b998562_JaffaCakes118

Filesize
192B

MD5
ab44f48eff071c95ec3ecb8f448a02e3

SHA1
694a654d9a918ce44f6c2d06ec56e10c10e8bc74

SHA256
7c711afc3658201c5f14ec43bfec108e622cb94b21348dd9b9733e36aa483c25

SHA512
d59c76cd28a2ef10e8bcc6d00974e79cc68c04a08814adfa568014e9fcde114b16abb24e0600c7f8dd42569c0491353351215a49bff8e51e830fd5713eb040bd

Download Submit
memory/2024-26-0x000000000045A000-0x000000000045B000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2024-3-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2024-4-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2024-5-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2024-6-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2024-0-0x000000000045A000-0x000000000045B000-memory.dmp

Filesize
4KB

Download
memory/2024-36-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2024-25-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2056-21-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2056-24-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2056-22-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download