716391c724a7b285c2d2fcba540bf54f95d59ee4bc39e57cefd28b8bb3f26a94

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe
Size

17KB
MD5

2f21ef99f76f88fa52ee035e2ae519e8
SHA1

34f463c698ddd0bfce771813dc92df4e6bac1d4d
SHA256

716391c724a7b285c2d2fcba540bf54f95d59ee4bc39e57cefd28b8bb3f26a94
SHA512

3597dcde0141fd05423b3fdc8e5564c4159073d4d0d576aead2bf9e85999000e75e702a06502240c951ca218ef10692e9983eb5eabe125f9aa4d56b8a36c1d38
SSDEEP

384:GcFhXnOI0boFNBAg+xwiY4CCSraW7fN1OHxqxklmnp6:GoXOIDNBp+jY4CFl7f/OHxqGknw

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
332	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/332-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/332-21-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\hefcndy = "C:\\Windows\\hefcndy.exe"	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hefcndy.dll	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\hefcndy.exe	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe
File opened for modification	C:\Windows\hefcndy.exe	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
332	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
332	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 1256	332	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe	21
PID 332 wrote to memory of 1256	332	2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2f21ef99f76f88fa52ee035e2ae519e8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\hefcndy.dll

Filesize
24KB

MD5
d2ce0fc359a6d143ea4d814f033b1f50

SHA1
2eed1cfbd3788e6118154b45053ee4229e694b6a

SHA256
742afb18cb87247d718cbb866db0da9945a4403552d3087e65b886bd942b6694

SHA512
be2704b984113ce436f6e299ad4e46839118559ced997138a77e8d577dcce4fd37b13cadb17a4fd564dca6ab796388bdb36a0957b6c995c73b9298520f03486d

Download Submit
memory/332-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/332-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/332-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/332-20-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/332-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1256-3-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download