76d7b14e3072879b3d4b28bbb0caa6d9ed24eaab6a3a73aec55cb38ed1b03bf4

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
Size

22KB
MD5

24a9d02fcc160d0f3b898bca6b07825e
SHA1

2f6dd9b879ff5bb42cf2fa9fab156bce9d0fc198
SHA256

76d7b14e3072879b3d4b28bbb0caa6d9ed24eaab6a3a73aec55cb38ed1b03bf4
SHA512

71f0cb450f09cff319bacf01a08557b539c8e481d964ac43ce2a52813df02ac3b9a54164f32039d2d1369b1699add400d82240c57ce63393c7fcdf4c1a5214b7
SSDEEP

384:j1P/UIYZwv5ycdgLtQn/3TS+5EfC+TYU3gwveXBCPY1IaNJawcudoD7U9GD:jNY+5YLtQ/fTU3JeXIA1hnbcuyD7U0

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\some = "C:\\Users\\Admin\\AppData\\Local\\Temp\\24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe"	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2120	scm.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/2364-4-0x0000000000310000-0x0000000000318000-memory.dmp	upx
behavioral1/files/0x000c00000001450b-2.dat	upx
behavioral1/memory/2120-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-10-0x0000000000310000-0x0000000000318000-memory.dmp	upx
behavioral1/memory/2364-12-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral1/memory/2364-16-0x0000000000310000-0x0000000000318000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe
2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
2120	scm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2120	2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2120	2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2120	2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2120	2364	24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24a9d02fcc160d0f3b898bca6b07825e_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\scm.exe
  C:\Users\Admin\AppData\Local\Temp\scm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\scm.exe

Filesize
9KB

MD5
4ba9f08910e0d0f6a6f9f850cdc6d626

SHA1
27f1ba576b80b1b659d886b4adcb58057ce7c7c3

SHA256
dfc5410fcdd86beb649dd17b260e4d6c805f21b5b14744169fa64a18ae4a8731

SHA512
b3051926bd132ac12b9cf57c1a80735a852a12ff379845611ba69a19c0ec2c8de1a411ff091b3f5df6dcafa718432566b396e19c0cf1a49bad50c04a705b3472

Download Submit
memory/2120-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2364-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2364-4-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2364-10-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2364-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2364-16-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download