eaa57acde4466bc8088992090bf6610e73658fbe4c4a7c7353464986bdd4986e

Analysis

max time kernel
99s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe
Size

454KB
MD5

271f1f2117b0eb7f5301ce4a22b914da
SHA1

3fa456c517a538a9922f792e7e772e54bacb9818
SHA256

eaa57acde4466bc8088992090bf6610e73658fbe4c4a7c7353464986bdd4986e
SHA512

fb7024244e09f88777ea7732fb48dd27ebf1452433a24466563d7af1e5616e721f046fa6e44af37dae28f1b3211dd6453600e2cf2711aa61449319f104456e22
SSDEEP

12288:12/g4JjcB9re7F1OkwtMxJwqne1IJm4q6EPuPwnKA:a8y58IHqz7r

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5016	Ufatia.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5028-0-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/files/0x000b0000000234d8-9.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe
File created	C:\Windows\Ufatia.exe	271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe
File opened for modification	C:\Windows\Ufatia.exe	271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Ufatia.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Ufatia.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
74384	5016	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Internet Explorer\Main	Ufatia.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe
5016	Ufatia.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 5016	5028	271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe	84
PID 5028 wrote to memory of 5016	5028	271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe	84
PID 5028 wrote to memory of 5016	5028	271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\271f1f2117b0eb7f5301ce4a22b914da_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\Ufatia.exe
  C:\Windows\Ufatia.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 356
    3⤵
    - Program crash
    PID:74384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
1⤵
PID:74368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
10dc1ade44c0909b6d5b27405d8cf6d6

SHA1
6e1c63f18b51e89d5f1e1683cdd6a4789d204ee5

SHA256
97581c6e5f049b1b231476a4387268cebee903e0286ea9b6c419dc06160de5cb

SHA512
5bdf7456f15d5647d8829767f381def7bbe73d27d20faab0d8a6266d5fd6a6bb03040acb95b18bcbcbf4fbdf5fc8558f90d93f811728bda8d2c5820676fa46f2

Download Submit
C:\Windows\Ufatia.exe

Filesize
454KB

MD5
271f1f2117b0eb7f5301ce4a22b914da

SHA1
3fa456c517a538a9922f792e7e772e54bacb9818

SHA256
eaa57acde4466bc8088992090bf6610e73658fbe4c4a7c7353464986bdd4986e

SHA512
fb7024244e09f88777ea7732fb48dd27ebf1452433a24466563d7af1e5616e721f046fa6e44af37dae28f1b3211dd6453600e2cf2711aa61449319f104456e22

Download Submit
memory/5016-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5016-144075-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5028-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5028-1-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/5028-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5028-67193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download