bec7f2925ccaa414051904304bb85895ae0ee5f97a5d7b8b2a7d859ab2c91ceb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
Size

832KB
MD5

3217bb5f48429eb0a8ba415c454ece23
SHA1

8f62c2260bcaaf17bd7edd91ca946e589594f948
SHA256

bec7f2925ccaa414051904304bb85895ae0ee5f97a5d7b8b2a7d859ab2c91ceb
SHA512

1ea3356552e09ba6eab1111ad3747d6a8f950b0bf40350651a326843b3eb31591debff25632bf24f50bd40efb86707931a276f7c2ca6db77f1b71f1bf895d0c2
SSDEEP

12288:0nY+4nxOwlfNS7LmvBp4XaSljhpogdEA01J6lF/iptrTeSIjo5i6CRxJrSrkr:5xBlfNS7TP1l+1Y6trFIUQTJrSrkr

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2956	system32.exe
348	system32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2164-12-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-16-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-15-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-14-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-13-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-10-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-6-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-4-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2164-25-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/348-47-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/348-44-0x0000000040010000-0x000000004004B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 2956 set thread context of 348	2956	system32.exe	32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32.exe	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
File opened for modification	C:\Windows\system32.exe	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
File created	C:\Windows\system32.exe	system32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
2956	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2164	3032	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	30
PID 2164 wrote to memory of 2956	2164	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2956	2164	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2956	2164	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2956	2164	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	31
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 2956 wrote to memory of 348	2956	system32.exe	32
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33
PID 348 wrote to memory of 2828	348	system32.exe	33

C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\system32.exe
    -bs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\system32.exe
      C:\Windows\system32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32.exe

Filesize
832KB

MD5
3217bb5f48429eb0a8ba415c454ece23

SHA1
8f62c2260bcaaf17bd7edd91ca946e589594f948

SHA256
bec7f2925ccaa414051904304bb85895ae0ee5f97a5d7b8b2a7d859ab2c91ceb

SHA512
1ea3356552e09ba6eab1111ad3747d6a8f950b0bf40350651a326843b3eb31591debff25632bf24f50bd40efb86707931a276f7c2ca6db77f1b71f1bf895d0c2

Download Submit
memory/348-44-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/348-47-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2164-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2164-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download