7c5bcd26d75e051ea3c573c3cbed3ef2e21f05a86f372cc06fce280ad6bd1112

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe
Size

195KB
MD5

289a36d768f0919c422e245dd00cd138
SHA1

8f61af04606ab2c9fede2651722fa84b09a2b13a
SHA256

7c5bcd26d75e051ea3c573c3cbed3ef2e21f05a86f372cc06fce280ad6bd1112
SHA512

5079ad5488d69db5e35266f1275087fae91a5d4c51a4e25fbf1ce9bac1e57729498d3eee5798c708f99a4b60677ba4c2ca3a8798f459ed25f32675db92ed5765
SSDEEP

6144:vr8tA9HjaqvwO/FxOHjFlQDZTqR1ZJqkgGrS:z8tSHdvwO/EWZOjZJpPrS

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2148	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-0-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2148	2140	289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\cid = "8379480547019828240"	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{862703e3-6e7c-b4d4-5418-1c7942b29c45}\u = "37"	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2148	2140	289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2148	2140	289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2148	2140	289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2148	2140	289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2148	2140	289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe	29
PID 2148 wrote to memory of 332	2148	explorer.exe	2
PID 332 wrote to memory of 2332	332	csrss.exe	30
PID 332 wrote to memory of 2332	332	csrss.exe	30
PID 332 wrote to memory of 2604	332	csrss.exe	31
PID 332 wrote to memory of 2604	332	csrss.exe	31

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\289a36d768f0919c422e245dd00cd138_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\explorer.exe
  00000060*
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2332

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
dafc4a53954b76c5db1d857e955f3805

SHA1
a18fa0d38c6656b4398953e77e87eec3b0209ef3

SHA256
c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b

SHA512
745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
ea1199620ab4c7affcfc626d441ccb88

SHA1
ae17bdf21e6221d915017e7db2ba57b0e7ab24a7

SHA256
8ed4c6e27dbf70c283ca3b11e55f8ba4fe0e3afe02b6410b8295224ca799395b

SHA512
e8a82f53c0fc8b98360d87e5d90147b853141dc64f9efe3925f9a99cc3a253ee421119481de7973dd14614e26c069e8e2f9af6f51838a79488e07804a0922c8c

Download Submit
memory/332-20-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/332-21-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/2140-1-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2140-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2140-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-9-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/2148-14-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/2148-4-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/2148-15-0x00000000000F0000-0x0000000000102000-memory.dmp

Filesize
72KB

Download