Analysis

  • max time kernel
    143s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 11:20

General

  • Target

    15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe

  • Size

    281KB

  • MD5

    15ce5e6b5250b42d061f3f536e050457

  • SHA1

    0ed82398a4ae86bb491893cd9120d2382f9217d4

  • SHA256

    c4658593625145d039fe38ade840edc79dfb2744b0167e6eb802da7d2402cbe7

  • SHA512

    b0987126c2dba5118c87d7c8e5ee73a585fca5153659a34b445a1d3b89622b4fd1bd092180fcbccff3d3483cdccddc69d78c160ec60cb1b37ab669436fda2aa7

  • SSDEEP

    6144:Oy+phfTwlTLfkixFUQKf3D7TnBAZ5qhbxE:L+p90lYixsfvDBAzK9E

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1160
      • C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
            PID:2072
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 260
              4⤵
              • Program crash
              PID:1612
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
              PID:2380
            • C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe"
              3⤵
                PID:2348
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 212
                  4⤵
                  • Program crash
                  PID:1448

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Active Setup

          1
          T1547.014

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Active Setup

          1
          T1547.014

          Defense Evasion

          Modify Registry

          3
          T1112

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1160-3-0x0000000002A00000-0x0000000002A01000-memory.dmp
            Filesize

            4KB

          • memory/2072-246-0x00000000000A0000-0x00000000000A1000-memory.dmp
            Filesize

            4KB

          • memory/2072-313-0x0000000000120000-0x0000000000121000-memory.dmp
            Filesize

            4KB

          • memory/2072-526-0x0000000010490000-0x0000000010502000-memory.dmp
            Filesize

            456KB

          • memory/2348-852-0x0000000010590000-0x0000000010602000-memory.dmp
            Filesize

            456KB