a1cd875002d46ac54c4cf63b5ea61f47f2f2d3408496eecba8a3261a54744914

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe
Size

36KB
MD5

301b8d4d63c022e0c2c6fae49ec0dd42
SHA1

6fd6708b08956986f24be4c75c00a324b0085586
SHA256

a1cd875002d46ac54c4cf63b5ea61f47f2f2d3408496eecba8a3261a54744914
SHA512

52a4da4772524e86e3b41d6fbd92aeae1519cf42683e4f8e6f1f56a46773158cafa6e6757299bbca772d1789d70fec931a6b177beef34a1be5b2ba4a421ea71b
SSDEEP

768:LwprPyljCsyJQQJ3WRLUxoqeq7gifHTVrAfsXJfUo4ryzwq:crCUJQQJ3WRLUyqeqkwgs5fqyz

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\swwai.sys	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\swwai.sys	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4272-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4272-10-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KEz.dll	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\KEz.dll	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\QRu7wb.bat	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1548	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2140	4272	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe	83
PID 4272 wrote to memory of 2140	4272	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe	83
PID 4272 wrote to memory of 2140	4272	301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe	83
PID 2140 wrote to memory of 1548	2140	cmd.exe	86
PID 2140 wrote to memory of 1548	2140	cmd.exe	86
PID 2140 wrote to memory of 1548	2140	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\301b8d4d63c022e0c2c6fae49ec0dd42_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\QRu7wb.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\QRu7wb.bat

Filesize
249B

MD5
b08429a154618ea305a27df8c230e724

SHA1
ebdefc6f82abf640a6044ef6a26c61acd6b72a7f

SHA256
5997fe1a7b99594e134a4e703ae92a363ebd6a9914ac953c6f29f42a6bcc9e85

SHA512
7c6e0524d951d8fc5d62caefa87fe10528b75a75f824533e9adb36239bc50030787bb40ebb705ceef8e82a243e34a033c49a86a4d13e16539acbdea111050e24

Download Submit
memory/4272-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4272-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download