Analysis

  • max time kernel
    134s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 11:20

General

  • Target

    15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe

  • Size

    281KB

  • MD5

    15ce5e6b5250b42d061f3f536e050457

  • SHA1

    0ed82398a4ae86bb491893cd9120d2382f9217d4

  • SHA256

    c4658593625145d039fe38ade840edc79dfb2744b0167e6eb802da7d2402cbe7

  • SHA512

    b0987126c2dba5118c87d7c8e5ee73a585fca5153659a34b445a1d3b89622b4fd1bd092180fcbccff3d3483cdccddc69d78c160ec60cb1b37ab669436fda2aa7

  • SSDEEP

    6144:Oy+phfTwlTLfkixFUQKf3D7TnBAZ5qhbxE:L+p90lYixsfvDBAzK9E

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3420
      • C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe"
        2⤵
        • Adds policy Run key to start application
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
            PID:3452
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 812
              4⤵
              • Program crash
              PID:652
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
              PID:4484
            • C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\15ce5e6b5250b42d061f3f536e050457_JaffaCakes118.exe"
              3⤵
                PID:1864
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 476
                  4⤵
                  • Program crash
                  PID:1524
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452
            1⤵
              PID:2924
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1864 -ip 1864
              1⤵
                PID:3136

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Persistence

              Boot or Logon Autostart Execution

              3
              T1547

              Registry Run Keys / Startup Folder

              2
              T1547.001

              Active Setup

              1
              T1547.014

              Privilege Escalation

              Boot or Logon Autostart Execution

              3
              T1547

              Registry Run Keys / Startup Folder

              2
              T1547.001

              Active Setup

              1
              T1547.014

              Defense Evasion

              Modify Registry

              3
              T1112

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/624-4-0x0000000010410000-0x0000000010482000-memory.dmp
                Filesize

                456KB

              • memory/624-64-0x0000000010490000-0x0000000010502000-memory.dmp
                Filesize

                456KB

              • memory/1864-150-0x0000000010590000-0x0000000010602000-memory.dmp
                Filesize

                456KB

              • memory/3452-7-0x0000000000470000-0x0000000000471000-memory.dmp
                Filesize

                4KB

              • memory/3452-8-0x0000000000530000-0x0000000000531000-memory.dmp
                Filesize

                4KB

              • memory/3452-66-0x0000000003410000-0x0000000003411000-memory.dmp
                Filesize

                4KB

              • memory/3452-67-0x0000000010490000-0x0000000010502000-memory.dmp
                Filesize

                456KB