6069425cbe9dea0ce95e57aee247d217193f47fa8bfc80b33a8666a6c3ce7b9c

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe
Size

14KB
MD5

2b15bf7cba5ecbd8430fa5e55ed1709d
SHA1

d1154ab3de39c2ade73e05e844f97ee6cba2ee69
SHA256

6069425cbe9dea0ce95e57aee247d217193f47fa8bfc80b33a8666a6c3ce7b9c
SHA512

59e0fd39109d71bde5e553551fd678749bec79663a2dbb06035391f09414a13443d0b870951c0e15cedf5b36789639b13d97e91c7d63cbaf8070c3d872d83165
SSDEEP

192:acMDkqH6dOvQnpu5g/rRK8AWkOAqaBSYnCjHbQZGsjit7CvRTvRKZz7QFg+sX6Cd:yDkFdOv0/rR1aBS0Cj7hJ4Rz0ZVXkIW

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1308	ld08.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3712-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/files/0x0006000000023287-7.dat	upx
behavioral2/memory/1308-8-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysLDtray = "c:\\windows\\ld08.exe"	ld08.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ld08.exe	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe
File created	\??\c:\windows\ld08.exe	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1308	3712	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe	82
PID 3712 wrote to memory of 1308	3712	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe	82
PID 3712 wrote to memory of 1308	3712	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe	82
PID 3712 wrote to memory of 4032	3712	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe	83
PID 3712 wrote to memory of 4032	3712	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe	83
PID 3712 wrote to memory of 4032	3712	2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b15bf7cba5ecbd8430fa5e55ed1709d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3712
- \??\c:\windows\ld08.exe
  c:\windows\ld08.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\43454354.bat
  2⤵
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\43454354.bat

Filesize
265B

MD5
e47794614b27d67ccfcc927b87a00ae8

SHA1
7d3b977ec3909fbea78a080ea1874aa2a6b14d76

SHA256
40f59f5b5eb86ebd19ec4dbc28c4333d7c99b0bf45ef36c6d061ed9bbf23670a

SHA512
b8686c0150c155ddc2fe7ba7b7b54d2512d7e59d63ffd3bae633b20c0aa91d6369fdb1425fff2ca620a9e5fcd031e7fdffca62858588e56555415f8f7792652a

Download Submit
\??\c:\windows\ld08.exe

Filesize
14KB

MD5
2b15bf7cba5ecbd8430fa5e55ed1709d

SHA1
d1154ab3de39c2ade73e05e844f97ee6cba2ee69

SHA256
6069425cbe9dea0ce95e57aee247d217193f47fa8bfc80b33a8666a6c3ce7b9c

SHA512
59e0fd39109d71bde5e553551fd678749bec79663a2dbb06035391f09414a13443d0b870951c0e15cedf5b36789639b13d97e91c7d63cbaf8070c3d872d83165

Download Submit
memory/1308-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3712-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads