435eaf20ee3d0d2095904ef88ca1f3ae0fc828fa31efe901f5b9fa5533e35a33

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe
Size

368KB
MD5

2340171a977f86e50ddab273f6ced2b5
SHA1

c0512a8544a2d1bb758cb7dd77a27dd84e7a8677
SHA256

435eaf20ee3d0d2095904ef88ca1f3ae0fc828fa31efe901f5b9fa5533e35a33
SHA512

7500a195039421b06822e266de4ecb035f058eaadaeba8371e6fc9103eb81ec0c22fd6b8124481f5e5d8ea90008480f4939a12780642307ce2e96bc715b7282d
SSDEEP

6144:UQqIPtiv4epAtoMEJAdWTQ5wCAJACOFYvFwJikIEtWAWW0ZZ0SXHqeVo13Fx:3+F8oRYYQxAQKFwJ0EtMWgjXKsoPx

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 3 IoCs

pid	Process
3020	wof.exe
2680	Ãû½«±¦Âí.exe
2732	Temp.exe

Loads dropped DLL 10 IoCs

pid	Process
1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe
1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe
3020	wof.exe
3020	wof.exe
3020	wof.exe
1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe
1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe
2680	Ãû½«±¦Âí.exe
2680	Ãû½«±¦Âí.exe
2680	Ãû½«±¦Âí.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f00000001214d-3.dat	upx
behavioral1/memory/1488-8-0x00000000005D0000-0x00000000005E0000-memory.dmp	upx
behavioral1/memory/3020-19-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3020-52-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xlx.dml	wof.exe
File created	C:\Windows\SysWOW64\safe.dll	wof.exe
File created	C:\Windows\SysWOW64\safe.tv	wof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2680	Ãû½«±¦Âí.exe
2680	Ãû½«±¦Âí.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3020	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	28
PID 1488 wrote to memory of 3020	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	28
PID 1488 wrote to memory of 3020	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	28
PID 1488 wrote to memory of 3020	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	28
PID 1488 wrote to memory of 3020	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	28
PID 1488 wrote to memory of 3020	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	28
PID 1488 wrote to memory of 3020	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	28
PID 1488 wrote to memory of 2680	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	29
PID 1488 wrote to memory of 2680	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	29
PID 1488 wrote to memory of 2680	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	29
PID 1488 wrote to memory of 2680	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	29
PID 1488 wrote to memory of 2680	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	29
PID 1488 wrote to memory of 2680	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	29
PID 1488 wrote to memory of 2680	1488	2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe	29
PID 3020 wrote to memory of 2588	3020	wof.exe	30
PID 3020 wrote to memory of 2588	3020	wof.exe	30
PID 3020 wrote to memory of 2588	3020	wof.exe	30
PID 3020 wrote to memory of 2588	3020	wof.exe	30
PID 3020 wrote to memory of 2588	3020	wof.exe	30
PID 3020 wrote to memory of 2588	3020	wof.exe	30
PID 3020 wrote to memory of 2588	3020	wof.exe	30
PID 2588 wrote to memory of 2732	2588	cmd.exe	32
PID 2588 wrote to memory of 2732	2588	cmd.exe	32
PID 2588 wrote to memory of 2732	2588	cmd.exe	32
PID 2588 wrote to memory of 2732	2588	cmd.exe	32
PID 2588 wrote to memory of 2732	2588	cmd.exe	32
PID 2588 wrote to memory of 2732	2588	cmd.exe	32
PID 2588 wrote to memory of 2732	2588	cmd.exe	32
PID 3020 wrote to memory of 2512	3020	wof.exe	33
PID 3020 wrote to memory of 2512	3020	wof.exe	33
PID 3020 wrote to memory of 2512	3020	wof.exe	33
PID 3020 wrote to memory of 2512	3020	wof.exe	33
PID 3020 wrote to memory of 2512	3020	wof.exe	33
PID 3020 wrote to memory of 2512	3020	wof.exe	33
PID 3020 wrote to memory of 2512	3020	wof.exe	33

C:\Users\Admin\AppData\Local\Temp\2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2340171a977f86e50ddab273f6ced2b5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\wof.exe
  "C:\Users\Admin\AppData\Local\Temp\wof.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\asdfjsf.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Temp.exe
      C:\Temp.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\safe.dll" /f
      4⤵
      Executes dropped EXE
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\del.bat
    3⤵
    PID:2512
- C:\Users\Admin\AppData\Local\Temp\Ãû½«±¦Âí.exe
  "C:\Users\Admin\AppData\Local\Temp\Ãû½«±¦Âí.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp.exe

Filesize
61KB

MD5
d69a9abbb0d795f21995c2f48c1eb560

SHA1
8bd131b03d6ba865b228ca8ee3239d2ef2b90b74

SHA256
36414c7e57afa6136d77fd47f4c55102e35f2475fbcd719728da7d14b1590e2a

SHA512
06421bb7a363e938ef7d15c44bce9c92004df957f64652d4288246b229bdd61a39997fda40c999e601c87054c3fe12c5fbef4f6b11420cd08b8a5fe84c9be5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ãû½«±¦Âí.exe

Filesize
676KB

MD5
e84875a48c4ae17b46a1c2b33693914c

SHA1
14522a6cf4b303348a836378fa335e519ce58b73

SHA256
7a7d098503c74706b052a029a60e6d537071a8439dc4dd573e1b77aeaae212bf

SHA512
2282beddae08a8cb4279075b07dfdd920ed41ffeb90a5fe00cad630d46dd00a858295f876ddde564ce27cedb57265ed9e21880c8ccf2d09ed6ac41c800e8b549

Download Submit
C:\asdfjsf.bat

Filesize
143B

MD5
d73a9361b7a4605ae6ba9549a14fe527

SHA1
19c58785f411aebf4ca6fa4306fb83be3b0224f3

SHA256
b6938686686272d90cc4d93f536bac3a3aa04b740a931f6385240c9215317f61

SHA512
9319bf755243e2a17b96927f96dfe428dd5f555990c58f1d7162aacb5a85e930166223b95dee3741158d40488adc5e86d28200219dbf6f489de0d5fb24d106a8

Download Submit
C:\del.bat

Filesize
1KB

MD5
25e78c30b4908ca55c38853bb3439cd6

SHA1
e1711297f7c0b9f5fc60ca16de88f890936a2e66

SHA256
6f7508a624d06fc83a1db8356f7899088d71597e482e9371006d8f40bf6c7c6f

SHA512
a7bf46266a5b0892dd5ac743f2395997d14440789f7713b725319d45bf8a1c0aa43345b75f9e5a5cc1c0bc04b5d66fa50bec7fc00a614ca254ff8b2381c9a58a

Download Submit
\Users\Admin\AppData\Local\Temp\wof.exe

Filesize
18KB

MD5
182aa3600b2e2a2582cbdff590cc0efe

SHA1
e9c4faee3e83b3c565d302f0ac9984dbda7d0584

SHA256
4246ae0769abaf929a01026643ba1a9c3c8b7ce040f20e06e4c2490ae96d09cc

SHA512
7586764daf90a77e9a9832d5a202c65b3f52bd92d6924ec6a2061825b48929212a977a5723958edd66dcb4e015ee273a0a1847c6c87a5e673879e2faf1e0fe39

Download Submit
memory/1488-10-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1488-8-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/3020-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-25-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/3020-21-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/3020-20-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/3020-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download