de0cb2b6b1be2e8e82bf07c23c48ba930558f653efaaba9a86f847600430f6b4

Analysis

max time kernel
4s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe
Size

31KB
MD5

3284e59be4faa9336b5b23e07c2ed8db
SHA1

07a7aecb1fad8d3a5cbb02d5c047a77354445c27
SHA256

de0cb2b6b1be2e8e82bf07c23c48ba930558f653efaaba9a86f847600430f6b4
SHA512

e2b32232a716f8409988c48640af57db72a019483dbbbf7f9a6bfa735b60839581a26ff7b3315e84bb507d20765275ccc30ce076822026b3886424ecf9bdb363
SSDEEP

768:t53z8nI0tRzO8Vg6YIwYw8pH2bBEr1XrRBOV5:gA6N6ErFOj

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1044	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upxdnd = "C:\\Windows\\upxdnd.exe"	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\upxdnd.dll	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\upxdnd.exe	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe
File opened for modification	C:\Windows\upxdnd.exe	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1044	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe
1044	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1044	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3464	1044	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe	54
PID 1044 wrote to memory of 3464	1044	3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3284e59be4faa9336b5b23e07c2ed8db_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1044

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\upxdnd.dll

Filesize
24KB

MD5
7069caf26be622f5a72be6e99a8db29f

SHA1
b5d6da2b32204d2a06c80eaad720614f07ca44ec

SHA256
6469e8a348e8b14a776fb2b865379b658b6a545485c2f8a8f0e88dab33bab146

SHA512
22d0f24dd57a3e00faf6fc3b1b472a8abce256629295735c428c079497826b5085a43562842ca5bb872c64b6568e9ee0ae867b27bc5a51bf18f8690760e81fcd

Download Submit
memory/1044-7-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1044-8-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/3464-2-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download