d9aa9e17d219254514a9b77694a2b189e49c1e3cf41fe0d311485e45a5165c75

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe
Size

58KB
MD5

2d329f9cfebc0bb7ada03df90286e208
SHA1

fa4507fb771a4fa4cdaea9f138bb945fd96974c4
SHA256

d9aa9e17d219254514a9b77694a2b189e49c1e3cf41fe0d311485e45a5165c75
SHA512

39a89b1309f6142e0b11378bc6a72c6a410d6aa90541ba97a0cde8007ca71d32250e218e6bd5f9f3f1b2063c142ecb3c9897444e11ac6d797eef3fb8f8c2b0d4
SSDEEP

1536:d/yx+uTNL7NCJeVVaRNwJAomFk60hWFeKkw:R9uxgWXmFuWMKkw

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2324	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	firefox.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-13.dat	upx
behavioral1/memory/2440-19-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ffdwnd = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\Firefox\\firefox.exe"	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2324	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2324	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2324	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2324	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2440	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	32
PID 1732 wrote to memory of 2440	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	32
PID 1732 wrote to memory of 2440	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	32
PID 1732 wrote to memory of 2440	1732	2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d329f9cfebc0bb7ada03df90286e208_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\unlnk.bat" "
  2⤵
  - Deletes itself
  PID:2324
- C:\Users\Admin\AppData\Local\Mozilla\Firefox\firefox.exe
  "C:\Users\Admin\AppData\Local\Mozilla\Firefox\firefox.exe"
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unlnk.bat

Filesize
159B

MD5
f7eeb6328d69b0e50bda73abe7795b61

SHA1
b1950395d0a1fdbbaafa53c32f9b7c6b81f557e3

SHA256
7e385603c8d2bfad168e7ccfeb0527f4a4dd5d252733b5cf41b7c9a45ffd0445

SHA512
478ed79bc474a7100d38e8d923847e005da1e5232d928a7e24c52cd70c1aff8f3da14df934ecb47d7237b439706275249d9b8b0154139e4b9654b25d4c87d15f

Download Submit
\Users\Admin\AppData\Local\Mozilla\Firefox\firefox.exe

Filesize
58KB

MD5
2d329f9cfebc0bb7ada03df90286e208

SHA1
fa4507fb771a4fa4cdaea9f138bb945fd96974c4

SHA256
d9aa9e17d219254514a9b77694a2b189e49c1e3cf41fe0d311485e45a5165c75

SHA512
39a89b1309f6142e0b11378bc6a72c6a410d6aa90541ba97a0cde8007ca71d32250e218e6bd5f9f3f1b2063c142ecb3c9897444e11ac6d797eef3fb8f8c2b0d4

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1732-4-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/1732-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2440-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2440-20-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2440-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads