aeb40455353d3b6aae8d23fb67ead5738c55a6e201c41c074e4b8e094dd7867b

Analysis

max time kernel
4s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe
Size

100KB
MD5

23b49f56c506fb5e588ff09884376931
SHA1

19cb3982fcaea820e15c62532eed644e7f082877
SHA256

aeb40455353d3b6aae8d23fb67ead5738c55a6e201c41c074e4b8e094dd7867b
SHA512

68a747f4f7a79ab5adaeef313670a7c0f3e2e2466f725024308246fba440dab6bca1852e958358ed38b5678692735cc36ca5a34389e30ed51f0e05ad8193e40c
SSDEEP

768:B2zM8w18SYYgMP52icWhW4jzrvMDHDy5tt5YWesBBfScaUjxLqPF9V/oo0+:cQUOcW5Dqjy5to0WUFW

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1492	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upxdnd = "C:\\Windows\\upxdnd.exe"	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\upxdnd.dll	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\upxdnd.exe	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe
File opened for modification	C:\Windows\upxdnd.exe	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1492	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe
1492	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1492	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3504	1492	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe	55
PID 1492 wrote to memory of 3504	1492	23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\23b49f56c506fb5e588ff09884376931_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1492

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4776
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:2732

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\upxdnd.dll

Filesize
27KB

MD5
9136851ea151ade92ad602cdbc62b7e8

SHA1
f6226b7bfc375534978c151fa424a3536eadd0b6

SHA256
0d8a8e436dece56838f662722f3d3ac7d326f6ab072493fa90659697f9f3b746

SHA512
1f4413d8ff09455555ea1a2f9fbda474be9d597235967d60e026bfb1430a72efca9f9391504ed07c0d460fe505ed7214f0f800d38af1c1bfc6b2eb0b2b7145dd

Download Submit
memory/1492-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1492-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1492-9-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1492-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3504-3-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download