4ed84e011e6d74fd740c934f84d355ff39d0149e4a47dbfaff15fa91fd58480b

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2820062329f509be7476c293763af5fb_JaffaCakes118.exe
Size

374KB
MD5

2820062329f509be7476c293763af5fb
SHA1

26880126949b6a80bfe51aafa14f0399ca001291
SHA256

4ed84e011e6d74fd740c934f84d355ff39d0149e4a47dbfaff15fa91fd58480b
SHA512

d1ef65ff531e31c0c145e23625422badcce7d44192182bbff6fff630ebedfa04e79ce373485678069714320af0acb1436f21d7bea8cf54c5ff12a7938fb4947f
SSDEEP

6144:A1db49+rEg024fpLZazEjvE/rbay19tSt4bO2BaDmeBJe59rfz9sWhpjBQp9/F7Y:AjkArEN249AyE/rbaMct4bO2/VreUpO+

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2156	lssass.exe
2568	lssass.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe
2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2880-0-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/2880-15-0x0000000000400000-0x00000000004C3000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2880-15-0x0000000000400000-0x00000000004C3000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lssass.exe	2820062329f509be7476c293763af5fb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lssass.exe	2820062329f509be7476c293763af5fb_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2156	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2156	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2156	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2156	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2520	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2520	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2520	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2520	2880	2820062329f509be7476c293763af5fb_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2820062329f509be7476c293763af5fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2820062329f509be7476c293763af5fb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\lssass.exe
  C:\Windows\SysWOW64\lssass.exe -i
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\SysWOW64\sc.exe
  sc start lssass
  2⤵
  - Launches sc.exe
  PID:2520

C:\Windows\SysWOW64\lssass.exe
C:\Windows\SysWOW64\lssass.exe
1⤵
- Executes dropped EXE
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\lssass.exe

Filesize
173KB

MD5
36cc7a90213e8af2af0cdf8378516ac8

SHA1
eb3da9fecac5e51f5265c9415b6fb65e82657138

SHA256
d5a3a771dd16b924417b6c4f4cd130612ac2f5438480461d05d3dfd7c2d27d2a

SHA512
68a654e1c9a0438e43cf7c43efee118073f8cb737f00b949c3ba119bd1a241af6b1b56c3b8fab193ebbdb5ae0d5cfcf038c2b6076afcb93f97598be52f7e9f79

Download Submit
memory/2156-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2568-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2880-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2880-15-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download