6679aafcfedf3e5965a617f1c8509f0983753d7aa99c96d75806d26c82487cc4

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3326d783e2daa78f70e4d6951c499e72_JaffaCakes118.exe
Size

119KB
MD5

3326d783e2daa78f70e4d6951c499e72
SHA1

f26a4668b9f290875455007a74ad6cb400c654a4
SHA256

6679aafcfedf3e5965a617f1c8509f0983753d7aa99c96d75806d26c82487cc4
SHA512

6a30da1ea699bad7ad9eb5786875ba0c5142e7367a5360d9d5516c1c673e42677b3363f33c00dc6c17a993f8b75bdd7954c7e784c989529a7d3770795d884764
SSDEEP

3072:odCNjFm0EMFjtXXTCTzdYLUzcCRKy3HfwqI4g60XsE0zq1Pa:odC9FDnFjUTzcUYvKHfcf6RE0zy

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4828-0-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/4828-11-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/876-12-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/876-21-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dtsc\\5193.exe"	5193.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4828	3326d783e2daa78f70e4d6951c499e72_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 876	4828	3326d783e2daa78f70e4d6951c499e72_JaffaCakes118.exe	84
PID 4828 wrote to memory of 876	4828	3326d783e2daa78f70e4d6951c499e72_JaffaCakes118.exe	84
PID 4828 wrote to memory of 876	4828	3326d783e2daa78f70e4d6951c499e72_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\3326d783e2daa78f70e4d6951c499e72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3326d783e2daa78f70e4d6951c499e72_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Roaming\Microsoft\dtsc\5193.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\dtsc\5193.exe" up534
  2⤵
  - Adds Run key to start application
  PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7993f138601eace3897d88f95941f77e

SHA1
1708ab6ad4bdc9529da81ade40527a059ce884f6

SHA256
3ea9ec538685f99ab290f696a6a360b4da830cc4f4ca8a1f9ef5bf15c140228b

SHA512
6269f4a6141d535de7b49a8f1405adbaf88fb27ccf1d78c875f7ec14fe4e3e38841feaeecf421959f809a7a32d3307cbc762aacd820268dfd60a3792111d429f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6d9a7f07c619468f06c7974360247ec6

SHA1
4bfedf6fb1faad896e20c8fea6158781a9d2854c

SHA256
448f8e5fbe1266f35a4f8993b49e6c04feddfddc4154b2b3cd34f3c8a1dceb71

SHA512
27cc52f4771260f797236820a3c93cec129cbfd1b9c1f12a7da45e2f09453f938cf212aa64197221f985999e054a9f9deb13d61cc5c046f7d5877938154a835a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
45feafeadf121d310181ef4c8a20085d

SHA1
ad887073317795b589d03ab5131c0c26447c2212

SHA256
ef294e717ba54ff304a155416a9d58dcdcf976963e46502f41a3c8940c8ceaf4

SHA512
346ce39abefab2724cef793d421bcbaaaecb15f34b3f5b78afacde167a0ea3692d7d410b58e24b697262f2d3f2f2ffa9b7656ac77ef84f9e7889bbf086acd187

Download Submit
memory/876-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4828-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4828-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads