58bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
Size

501KB
MD5

2d8f429c96d92430c8c66679936bbc1f
SHA1

a753880cfe0cb7051a0b9cf07531d04c13f7d032
SHA256

58bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141
SHA512

fcf28248d78a68a03dd707d7b88dfe7e020916726c9d6bb24c4dc0d932e6cdbca3dd90bff0984b46ce63ac4f367b80f1ff707b3065fa2deb57b1ca29ba04524f
SSDEEP

6144:y8lLSeKLxjiZjdhTv2tIyzJM/FAvzBF/nM+BNlocz4xWadXmRd7gJQa3:ymFT1yNM/Wvz/Z4WaSdUJP

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2956	Vpevoa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2780-0-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral2/files/0x0007000000023452-11.dat	upx
behavioral2/memory/2956-14-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vpevoa.exe	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Vpevoa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Vpevoa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
File created	C:\Windows\Vpevoa.exe	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
38444	2956	WerFault.exe	85

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Internet Explorer\Main	Vpevoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe
2956	Vpevoa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2956	2780	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe	85
PID 2780 wrote to memory of 2956	2780	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe	85
PID 2780 wrote to memory of 2956	2780	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\Vpevoa.exe
  C:\Windows\Vpevoa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 728
    3⤵
    - Program crash
    PID:38444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2956 -ip 2956
1⤵
PID:38476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
bc2a413e16be84082ba021608498bbda

SHA1
40de84af83e279fd07605764e57d96ec07dd96e3

SHA256
db289cbca15ff49ddf9a1a61cd3c7b843cd7af7264396ea7f5bee5925cd0e5f3

SHA512
fd93d9643db7a466bd1a9bf17663f04b84e7c89f39413c9c5abe7046e09cef49a3e4953478102a4e1a76fa939ae22a8503d5ac61cc9becd3dc4d11b01379d0d4

Download Submit
C:\Windows\Vpevoa.exe

Filesize
501KB

MD5
2d8f429c96d92430c8c66679936bbc1f

SHA1
a753880cfe0cb7051a0b9cf07531d04c13f7d032

SHA256
58bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141

SHA512
fcf28248d78a68a03dd707d7b88dfe7e020916726c9d6bb24c4dc0d932e6cdbca3dd90bff0984b46ce63ac4f367b80f1ff707b3065fa2deb57b1ca29ba04524f

Download Submit
memory/2780-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2780-2-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2780-6-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2780-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2780-62931-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2956-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2956-138411-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-138410-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download