Analysis

  • max time kernel
    133s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 12:49

General

  • Target

    226e2664e8ffffa616981d2117136d24_JaffaCakes118.exe

  • Size

    1023KB

  • MD5

    226e2664e8ffffa616981d2117136d24

  • SHA1

    d7604be93df1fefc391152e46f8fecdd35721471

  • SHA256

    188745a9a4866634060354bd55e843a95c3bbafd64356b311124b0ed811e36cd

  • SHA512

    cfa687c469f57938c6e22d8fa98140233c06ccdc50ed40b50a94101b42a96de983c80bf785aa1a4ff86f90e0e5d84ea934dd59585963c1beaaff2b28f1949320

  • SSDEEP

    24576:pINHFxsApPWwb6DXFfO+4hg4wZBCrlyT6S+JDH7BiiU3eDR2Cy/:pAHFf8wb6DZOjh0aO+HQu92Z

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\226e2664e8ffffa616981d2117136d24_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\226e2664e8ffffa616981d2117136d24_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
      2⤵
        PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
        2⤵
          PID:3716
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
          2⤵
          • Hide Artifacts: Hidden Files and Directories
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
            3⤵
            • Views/modifies file attributes
            PID:3336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat"
          2⤵
            PID:3388
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe"
            2⤵
              PID:4284
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat"
              2⤵
                PID:208
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha" del "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha"
                2⤵
                  PID:3492
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe"
                  2⤵
                    PID:3672
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5968.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5968.bat"
                    2⤵
                      PID:1464
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5905.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5905.exe"
                      2⤵
                        PID:4740
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5968.bat
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1616
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat"
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2452
                          • C:\Windows\SysWOW64\PING.EXE
                            PING -n 1 www.google.com
                            4⤵
                            • Runs ping.exe
                            PID:2012
                          • C:\Windows\SysWOW64\find.exe
                            find "Reply from "
                            4⤵
                              PID:1536
                          • C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe
                            "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" x -t"C:\Users\Admin\AppData\Local\Temp\bisc" -y+ C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha
                            3⤵
                            • Executes dropped EXE
                            PID:5028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5040
                            • C:\Windows\SysWOW64\mode.com
                              mode con: lines=10
                              4⤵
                                PID:1404
                              • C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe
                                "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" x -t"C:\Users\Admin\AppData\Local\Temp\bisc" -y+ C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha
                                4⤵
                                • Executes dropped EXE
                                PID:1084
                              • C:\Users\Admin\AppData\Local\Temp\bisc\curl.exe
                                ""C:\Users\Admin\AppData\Local\Temp\bisc\curl"" --progress-bar -o "C:\Users\Admin\AppData\Local\Temp\bisc\diag_rem_v.txt " "http://www.modyouri.com/bisc_files/cur_diag_rem_v.txt "
                                4⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4596
                            • C:\Windows\SysWOW64\fc.exe
                              fc "C:\Users\Admin\AppData\Local\Temp\bisc\cur_diag_rem_v.txt" "C:\Users\Admin\AppData\Local\Temp\bisc\diag_rem_v.txt"
                              3⤵
                                PID:1892
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat"
                                3⤵
                                  PID:4628
                                  • C:\Windows\SysWOW64\mode.com
                                    mode con: lines=10
                                    4⤵
                                      PID:3788
                                    • C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe
                                      "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" x -t"C:\Users\Admin\AppData\Local\Temp\bisc" -y+ C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha
                                      4⤵
                                      • Executes dropped EXE
                                      PID:116
                                    • C:\Users\Admin\AppData\Local\Temp\bisc\curl.exe
                                      ""C:\Users\Admin\AppData\Local\Temp\bisc\curl"" --progress-bar -o "C:\Users\Admin\AppData\Local\Temp\bisc\diag_rem_v.txt " "http://www.modyouri.com/bisc_files/cur_diag_rem_v.txt "
                                      4⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:676

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\BISC\DIAG_REM_V.TXT

                                Filesize

                                167B

                                MD5

                                0104c301c5e02bd6148b8703d19b3a73

                                SHA1

                                7436e0b4b1f8c222c38069890b75fa2baf9ca620

                                SHA256

                                446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

                                SHA512

                                84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

                              • C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\BISC\cur_diag_rem_v.txt

                                Filesize

                                7B

                                MD5

                                be768f6945cb6d45d3b42d55f5b70aea

                                SHA1

                                0d8d84046fc096097a7ad7a2d8754e2039cfbe61

                                SHA256

                                4a0f4ca43af103ffb3c1c659297f28760fee2be3d3bf57d52cf2ecaa7021ae52

                                SHA512

                                4fda073ad949fc717a48d5b9f1365dd94fdb38173d0e3797a1fad88bc8897a6c073e2273a03a367feb14a39f161957f6411865c73ece16a2d5b19cf6fda091b4

                              • C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat

                                Filesize

                                664B

                                MD5

                                581b6ba034bc84910287bc2b4d71ab58

                                SHA1

                                81b241cda9516e6db484f2dbbff3c0eb641b9186

                                SHA256

                                2d805f58c664b6be4e6d6aba5af0c7d07c4bf173981f36a62011c50809862ed4

                                SHA512

                                43a89e66f4804d233a98c855d0c4b20c439a0258d3231e399ad0c063535e57ba1f38cf2ba699b7f09e376330f0f412569d7def771d831911e9643199c32774b9

                              • C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha

                                Filesize

                                816KB

                                MD5

                                045bb7f6767536d2734a82bfa907a88c

                                SHA1

                                d661d2d131d4df532f9375c1953b4e3b5cb5d8a6

                                SHA256

                                105c7728959c59efaee6c23b5ec90e1e0b243a2b21855313fca015ee1b45d8bd

                                SHA512

                                61d9a8a7fb00fda4d24a89473b9ada4da8ba6b0b72157e7d19105e525efd4d9fffe36c8de57b19576d20510b8922081c807f057d971dfffa66d6885d4bd96bdb

                              • C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat

                                Filesize

                                1KB

                                MD5

                                08b1e6c236cf405c8eaf2174f47f840d

                                SHA1

                                4885088aa42193f2e81692084a74fe38d63e779e

                                SHA256

                                0720c8786ae5b0064637392be0706e82524737f34249abf5b6b94b74c952a6e5

                                SHA512

                                17fe6ee6f3d7ab0cdbee18f66ae412c35535b6e4d6d5cae2d04caab2230cfa16ef4fb0a8b1d980972c333261ef9620f8df035eedead6c71ab531079f58b20f7b

                              • C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe

                                Filesize

                                101KB

                                MD5

                                50f6270de215776eb6e9ab43c2367f90

                                SHA1

                                a2f0be6b23b6a923c402d6893e7e3c50e89a1132

                                SHA256

                                f0a425fc7159c0311fcf32a03c80e24f40b273d199ce95defe470786087f822a

                                SHA512

                                6dac8fbf961c41832000623092247b1deccf288a4fe32c4f028e89eb485b8d1713012038af955a87674beeaba92c0bc9ef47c4c10242bc3953b2b1a0e53431ac

                              • C:\Users\Admin\AppData\Local\Temp\bisc\curl.exe

                                Filesize

                                118KB

                                MD5

                                e44e350bba5be866612211e8d56e0ed1

                                SHA1

                                10ec6d2a1d3d43d0e597eb8eb01478faf033a4be

                                SHA256

                                fcc49a15f22ceafbf97411dd9e1cd693309b5f9aec967426e631ff7c2b0cb2dc

                                SHA512

                                45181ec10bfca7542a98cce08395e9243dab84444664975cf3bf92e2b4c70585273858c9a5789dfb7578ef98bf3b895afcf80f2bf89e2b5680650cb72d657a69

                              • C:\Users\Admin\AppData\Local\Temp\bisc\curl.exe

                                Filesize

                                432KB

                                MD5

                                42d74927a0f4f583fb4a43c6841f0da1

                                SHA1

                                84e0ddb2b0fd27a72d5e5caaf19d2323babeedd0

                                SHA256

                                a5666c0d1ab708994ee1636d0cbe8cec759378d764a6704e20c31a505f19809c

                                SHA512

                                01e3d5423c49a484cd1ffb295bbdd4583fa70d08549b0c42b283f0a31bfe799bdda95d3452f19cf59e288545dce248972de7e1b37db7f23bd4c292baa8df7093

                              • C:\Users\Admin\AppData\Local\Temp\bisc\libcurl.dll

                                Filesize

                                322KB

                                MD5

                                659c79fbe882e54c44f3bd39f073d7c0

                                SHA1

                                d684bab7481def64c5e75d1732b69bbd6ca2ffb3

                                SHA256

                                ea7c540a7e59596a8793bd00d742ca5f86db7022be03465b6967285c1667c849

                                SHA512

                                0ea0483774c09a99deaf9a26372ea9308c719f1b5dbc6b9413ecdb89a3e4cc1b36e8a59f7dcddbd76c0e683d5169c9271f997eee465b0ea927264ec514d45245

                              • C:\Users\Admin\AppData\Local\Temp\bisc\libeay32.dll

                                Filesize

                                1.5MB

                                MD5

                                923fad7854959d5e971bcb787a699f3c

                                SHA1

                                41a72dd510b5f08d9a2cf4a0dacf3fbb76ddb2ca

                                SHA256

                                9018baac15d34cfd47f092a3c9c12ba1c5ddb910a4692187174d8f09f193e5f8

                                SHA512

                                4f367d95468d7c27647d2e9626006908ca1c5d786c6e364953f83bc81df5248e7fba0468097fc017d1ac48f77526ebaaad77c4c1e49712a2381de8bf3e159660

                              • C:\Users\Admin\AppData\Local\Temp\bisc\libssl32.dll

                                Filesize

                                19KB

                                MD5

                                b15da2b65fe5e474b60db4a961f363e8

                                SHA1

                                f78b9d1ebd3b22cd52d152806a85297b70e00956

                                SHA256

                                10d7081a72d7fd4b4dfe0bb88119be5dd1df0a019a43b8fe25136b64e397e067

                                SHA512

                                518334e3e1a5d307596fa1416df4bf5081a7304d7ac15d97e7b2af79502fe414dc577c5caf6122a7cd093a6b6ae7ae37b2e7f821918a8911479858219305d79b

                              • C:\Users\Admin\AppData\Local\Temp\bisc\libssl32.dll

                                Filesize

                                346KB

                                MD5

                                b394f91a8069216775f87749253dbe82

                                SHA1

                                d82f8cf2f2198fb60dddfd1ab4deec47b3b70657

                                SHA256

                                0f22abb27e6572b0bd383fec50076dd9898cd2f3366551bb51f2856697d11c19

                                SHA512

                                86dfccfee8693b2a6ad2265fbaa3f472569e3ae4725dae8224ba9cacaf11aa2e4f9a9ff9d41620d42f41c91df758c8a76008242e148c88e3a6b216dda8ef65d5

                              • C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5968.bat

                                Filesize

                                7KB

                                MD5

                                3ac28d94a80a0e8dd7f21d6c3b9d44a3

                                SHA1

                                b504f61a71308dea5e5aa187e0b6582f38f677f4

                                SHA256

                                c071d504856fc7dc08bcde4d29ef1ac36317246ddd7c69dbeb2fd4389f7db394

                                SHA512

                                83244d2b91fa20d093625b955d1a3b974c68f0b3ba3c3b2014b2623de61b72b81431f54bb495341cba6af9d310dc7969e93001379cf554e913d30209d31c14ab

                              • memory/116-77-0x0000000000400000-0x0000000000493000-memory.dmp

                                Filesize

                                588KB

                              • memory/676-86-0x0000000061D80000-0x0000000061EA9000-memory.dmp

                                Filesize

                                1.2MB

                              • memory/676-87-0x000000006B080000-0x000000006B0C3000-memory.dmp

                                Filesize

                                268KB

                              • memory/676-85-0x0000000000400000-0x0000000000473000-memory.dmp

                                Filesize

                                460KB

                              • memory/1084-49-0x0000000000400000-0x0000000000493000-memory.dmp

                                Filesize

                                588KB

                              • memory/1084-31-0x0000000000400000-0x0000000000493000-memory.dmp

                                Filesize

                                588KB

                              • memory/4596-60-0x000000006B080000-0x000000006B0C3000-memory.dmp

                                Filesize

                                268KB

                              • memory/4596-59-0x0000000061D80000-0x0000000061EA9000-memory.dmp

                                Filesize

                                1.2MB

                              • memory/4596-58-0x0000000000400000-0x0000000000473000-memory.dmp

                                Filesize

                                460KB

                              • memory/5028-13-0x0000000000400000-0x0000000000493000-memory.dmp

                                Filesize

                                588KB

                              • memory/5028-28-0x0000000000400000-0x0000000000493000-memory.dmp

                                Filesize

                                588KB