f45c0c31e5b2fe74a42738056ce29f433faa06af893b3838dee1c3c890d43bfc

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
Size

230KB
MD5

320075e33fac99eaee9d572c189d07e8
SHA1

6b2ca9960ebedbe7e369f0f9f2429e5a320586c9
SHA256

f45c0c31e5b2fe74a42738056ce29f433faa06af893b3838dee1c3c890d43bfc
SHA512

c5a7e4b85b60a56be9f0b54dae2e3e5363ee732a61c4f8af03041ab21b8b8dbf0d60c2ba18727f8c8f12b691fe6ace6b994e617cd29993437b544da6c0007ec3
SSDEEP

6144:XpJ8yUj4nWUNUkpprAMoCzghZu3pNHmYe3DmJztw9/o:XVWUNUIAMoQeu3pNzoDmJztq

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3472	Ulidya.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2316-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x0007000000023415-8.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Ulidya.exe	320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Ulidya.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Ulidya.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
File created	C:\Windows\Ulidya.exe	320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	Ulidya.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\International	Ulidya.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe
3472	Ulidya.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3472	2316	320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe	80
PID 2316 wrote to memory of 3472	2316	320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe	80
PID 2316 wrote to memory of 3472	2316	320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe	80

C:\Users\Admin\AppData\Local\Temp\320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Ulidya.exe
  C:\Windows\Ulidya.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
c349fc083698e10c96c09c999f9e56dc

SHA1
00dc2c2389dfa40a84990dd90836f3724222f54d

SHA256
bcb63bd66ca82ff934bbf4600f7b9be715e9d47c9049e4e28b43d808db0e73fb

SHA512
4eee8c93032b9c5dd479a07dadb7eeaaf0483da3e334a1ad8239874ccbc4f6c342633d48dfebaea9951a48bb74bb0fea84948dedd99c7a0ddf2ee9c89dcac3bb

Download Submit
C:\Windows\Ulidya.exe

Filesize
230KB

MD5
320075e33fac99eaee9d572c189d07e8

SHA1
6b2ca9960ebedbe7e369f0f9f2429e5a320586c9

SHA256
f45c0c31e5b2fe74a42738056ce29f433faa06af893b3838dee1c3c890d43bfc

SHA512
c5a7e4b85b60a56be9f0b54dae2e3e5363ee732a61c4f8af03041ab21b8b8dbf0d60c2ba18727f8c8f12b691fe6ace6b994e617cd29993437b544da6c0007ec3

Download Submit
memory/2316-2-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2316-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2316-1-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2316-36328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-158667-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-9-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-10-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-158666-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-158665-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-158664-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-158668-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-158672-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3472-158675-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download