bec7f2925ccaa414051904304bb85895ae0ee5f97a5d7b8b2a7d859ab2c91ceb

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 21:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
Size

832KB
MD5

3217bb5f48429eb0a8ba415c454ece23
SHA1

8f62c2260bcaaf17bd7edd91ca946e589594f948
SHA256

bec7f2925ccaa414051904304bb85895ae0ee5f97a5d7b8b2a7d859ab2c91ceb
SHA512

1ea3356552e09ba6eab1111ad3747d6a8f950b0bf40350651a326843b3eb31591debff25632bf24f50bd40efb86707931a276f7c2ca6db77f1b71f1bf895d0c2
SSDEEP

12288:0nY+4nxOwlfNS7LmvBp4XaSljhpogdEA01J6lF/iptrTeSIjo5i6CRxJrSrkr:5xBlfNS7TP1l+1Y6trFIUQTJrSrkr

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
932	system32.exe
1964	system32.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4076-2-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4076-4-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4076-5-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4076-6-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4076-13-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1964-21-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1964-22-0x0000000040010000-0x000000004004B000-memory.dmp	upx
behavioral2/memory/1964-23-0x0000000040010000-0x000000004004B000-memory.dmp	upx
behavioral2/memory/1964-26-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 932 set thread context of 1964	932	system32.exe	86

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32.exe	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
File created	C:\Windows\system32.exe	system32.exe
File created	C:\Windows\system32.exe	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
932	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 884 wrote to memory of 4076	884	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	82
PID 4076 wrote to memory of 932	4076	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	85
PID 4076 wrote to memory of 932	4076	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	85
PID 4076 wrote to memory of 932	4076	3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe	85
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 932 wrote to memory of 1964	932	system32.exe	86
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87
PID 1964 wrote to memory of 5084	1964	system32.exe	87

C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3217bb5f48429eb0a8ba415c454ece23_JaffaCakes118.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\system32.exe
    -bs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\system32.exe
      C:\Windows\system32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:5084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32.exe

Filesize
832KB

MD5
3217bb5f48429eb0a8ba415c454ece23

SHA1
8f62c2260bcaaf17bd7edd91ca946e589594f948

SHA256
bec7f2925ccaa414051904304bb85895ae0ee5f97a5d7b8b2a7d859ab2c91ceb

SHA512
1ea3356552e09ba6eab1111ad3747d6a8f950b0bf40350651a326843b3eb31591debff25632bf24f50bd40efb86707931a276f7c2ca6db77f1b71f1bf895d0c2

Download Submit
memory/1964-21-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1964-22-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/1964-23-0x0000000040010000-0x000000004004B000-memory.dmp

Filesize
236KB

Download
memory/1964-26-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4076-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4076-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4076-5-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4076-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4076-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download