b1541d346a83b1f7d19255c59ccbd3b4f09f0dcf282146b856de0e32a25fa619

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe
Size

12KB
MD5

3131adceb3520f9557b65230b8a034ea
SHA1

57f7aee1ccc800816e6b1306dc051b02f1e1ebed
SHA256

b1541d346a83b1f7d19255c59ccbd3b4f09f0dcf282146b856de0e32a25fa619
SHA512

1e38ad5631143459f4b28908da49615babb4e78069cfeb087b6c4e95d41dfd0ea8d3982ea3fb28e673f583dfa5a8943f346b87f83425d1452a65b1f030eb7d14
SSDEEP

192:wNuvfTXluZ53Fv5DuSCR0vnT08mJIhfoHseIAvaB718LPB5p5RFEtYtGcb9C/N3N:yIzk3FIEvT0pDM+iBAP15PyYgcp5+

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	telmanzk.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe
2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x002b000000018f84-3.dat	upx
behavioral1/memory/2960-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2548-21-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\telmanz.dll	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\telmanzk.exe	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\telmanzk.exe	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2960	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2960	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2960	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2960	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2880	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2880	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2880	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2880	2548	3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\telmanzk.exe
  C:\Windows\system32\telmanzk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3131adceb3520f9557b65230b8a034ea_JaffaCakes118.exe.bat

Filesize
210B

MD5
67731e6d91f8fc5a806ce1028ca0c3d7

SHA1
31b8d58193671d474313879a78f8f284fc7011f9

SHA256
b196dc056744383396f3b24d252756d8b298788eee62918212ed83f031534006

SHA512
39b89fc535215fad02df927a2f527d534d582560620168698057e5845b8af7a347e62540bf0f00650004ca23008e5223e0dbd59c644a49c9c89a4567afdf0dd0

Download Submit
\Windows\SysWOW64\telmanzk.exe

Filesize
12KB

MD5
3131adceb3520f9557b65230b8a034ea

SHA1
57f7aee1ccc800816e6b1306dc051b02f1e1ebed

SHA256
b1541d346a83b1f7d19255c59ccbd3b4f09f0dcf282146b856de0e32a25fa619

SHA512
1e38ad5631143459f4b28908da49615babb4e78069cfeb087b6c4e95d41dfd0ea8d3982ea3fb28e673f583dfa5a8943f346b87f83425d1452a65b1f030eb7d14

Download Submit
memory/2548-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2548-10-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2548-11-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2548-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2960-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download