d62ec4e13aa9c93915f4efdc9aff6e0024240deb15404b007d2d17b126e268cc

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe
Size

15KB
MD5

20caea201784059e396d6d6721fa4a72
SHA1

dd35113cb486c1f124ba8b3b519e4f1ea161b888
SHA256

d62ec4e13aa9c93915f4efdc9aff6e0024240deb15404b007d2d17b126e268cc
SHA512

5c9ff8a705586ee229d23f94bccbaadf02e09976f21e3be92c848617baed8914524dcab10f3a254c83237da73480fb92ddf2a4648bc29721a330bd538abe3a39
SSDEEP

384:ZHhTDeXzk79vyVFwbk4v5L5QjIsRCgao:nMcvQSbka8IS0

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1932	ld09.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2788-4-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x003100000001655d-7.dat	upx
behavioral1/memory/1932-18-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1932-20-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysldtray = "c:\\windows\\ld09.exe"	ld09.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ld09.exe	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe
File created	\??\c:\windows\ld09.exe	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 1932	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	28
PID 2788 wrote to memory of 1932	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	28
PID 2788 wrote to memory of 1932	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	28
PID 2788 wrote to memory of 1932	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	28
PID 2788 wrote to memory of 2680	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2680	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2680	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2680	2788	20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20caea201784059e396d6d6721fa4a72_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2788
- \??\c:\windows\ld09.exe
  c:\windows\ld09.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\d45.bat
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ld09.exe

Filesize
15KB

MD5
20caea201784059e396d6d6721fa4a72

SHA1
dd35113cb486c1f124ba8b3b519e4f1ea161b888

SHA256
d62ec4e13aa9c93915f4efdc9aff6e0024240deb15404b007d2d17b126e268cc

SHA512
5c9ff8a705586ee229d23f94bccbaadf02e09976f21e3be92c848617baed8914524dcab10f3a254c83237da73480fb92ddf2a4648bc29721a330bd538abe3a39

Download Submit
C:\d45.bat

Filesize
263B

MD5
ab80d8b088d60b8acdeebea0303bfb72

SHA1
befff978a0d7d670e1f0cf6c5b610d010fffaa26

SHA256
5c6fa60c305d2f9f56a38729892bd56dbf324f08d6819e887184c60f846a7ecb

SHA512
649be8e4e9cca8bf130eded6fadd29acf24a195c3cecaee1bef411f76ffabf6409aae8bbafb7c9c6a0b86487ce97146af939ec9dfdbdd7b885efb285f891700f

Download Submit
memory/1932-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1932-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2788-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads