0aac3397fb90dfeefe6476eba0ba678a15ae4f679c2261bf859d896908439cd6

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1596309e007ed704e93e11f80620f180_JaffaCakes118.exe
Size

10KB
MD5

1596309e007ed704e93e11f80620f180
SHA1

e992e3df58accb1cce1f00685feb8b93050c5806
SHA256

0aac3397fb90dfeefe6476eba0ba678a15ae4f679c2261bf859d896908439cd6
SHA512

57e1f4008e1610ce6419a45847df095656a7f64c2c11e956f0b79454ebaacaff47a55d2bf3fc07f2935148f2524a12a20d625f7db3f0ea1050c6cd67220c04e5
SSDEEP

192:iIysA/4ZJH5dtpJNynX698rLFxMWhhW1qkMD+l2aD/Dg+:iIysAwZtRbNynq98rYWPWVMD+l1D/s+

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	mysibkk.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe
1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1656-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0059000000015cc2-3.dat	upx
behavioral1/memory/2184-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1656-10-0x0000000000030000-0x000000000003F000-memory.dmp	upx
behavioral1/memory/1656-19-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mysibk.dll	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mysibkk.exe	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mysibkk.exe	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2184	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2184	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2184	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2184	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2680	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	29
PID 1656 wrote to memory of 2680	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	29
PID 1656 wrote to memory of 2680	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	29
PID 1656 wrote to memory of 2680	1656	1596309e007ed704e93e11f80620f180_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\1596309e007ed704e93e11f80620f180_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1596309e007ed704e93e11f80620f180_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\mysibkk.exe
  C:\Windows\system32\mysibkk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\1596309e007ed704e93e11f80620f180_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1596309e007ed704e93e11f80620f180_JaffaCakes118.exe.bat

Filesize
210B

MD5
a0aefe4c036e9881d469863be4af9cfa

SHA1
61dfce3c8a9df89d17f747adf5b2e1d6bb3b45fe

SHA256
ee6a62258c390e022abd3dd56d3ed84a650893a85b904246fc6f9cb4037fdf09

SHA512
37d47e3409c863dd5ac66f4f50f6212b3d865ee1964228bab6216c577c6f374e1dec681ad24f0c644b836682a6d953e184d9cb1a2221a68d6af565f4c508c712

Download Submit
\Windows\SysWOW64\mysibkk.exe

Filesize
10KB

MD5
1596309e007ed704e93e11f80620f180

SHA1
e992e3df58accb1cce1f00685feb8b93050c5806

SHA256
0aac3397fb90dfeefe6476eba0ba678a15ae4f679c2261bf859d896908439cd6

SHA512
57e1f4008e1610ce6419a45847df095656a7f64c2c11e956f0b79454ebaacaff47a55d2bf3fc07f2935148f2524a12a20d625f7db3f0ea1050c6cd67220c04e5

Download Submit
memory/1656-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1656-10-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/1656-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2184-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download