Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 05:08 UTC

General

  • Target

    33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe

  • Size

    93KB

  • MD5

    33689535d0e26180a21e520c1990ed10

  • SHA1

    a6d1fea6853271413a07cfdc1d00addcd2ad95e1

  • SHA256

    762688ce4388f73a9b5f18a7d76dab08b670902cd1a23a617afaac6af1247dc9

  • SHA512

    cbcc9e501fddb8e2bd9c25122eaae6c295952af1c03e43b5146fcc11952595f1a9f53270b30f410f9e3c60cfb4dc5441b71cb42c74351d49a7dd39a5164bdee8

  • SSDEEP

    1536:QM5GnA60+HQrnIzKYwT93Gm39l+/Llg8ugh0P3APEXhdXa0/nFD3fr:3UnAMQMA5249leu8ughi3APErXa0df

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Kills process with taskkill 2 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im iamapp.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\SysWOW64\net.exe
      net stop "norton antivirus firewall monitor service"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "norton antivirus firewall monitor service"
        3⤵
          PID:2696
      • C:\Windows\SysWOW64\net.exe
        net stop "mcafee firewall"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "mcafee firewall"
          3⤵
            PID:2396
        • C:\Windows\SysWOW64\net.exe
          net stop "panda firewall service"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "panda firewall service"
            3⤵
              PID:2704
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill -f -im iamapp.exe
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
          • C:\Windows\SysWOW64\net.exe
            net stop "norton antivirus firewall monitor service"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1576
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "norton antivirus firewall monitor service"
              3⤵
                PID:2248
            • C:\Windows\SysWOW64\net.exe
              net stop "mcafee firewall"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:540
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "mcafee firewall"
                3⤵
                  PID:1964
              • C:\Windows\SysWOW64\net.exe
                net stop "panda firewall service"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2020
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "panda firewall service"
                  3⤵
                    PID:2260

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2416-0-0x0000000000400000-0x0000000000419000-memory.dmp

                Filesize

                100KB

              • memory/2416-3-0x0000000000400000-0x0000000000419000-memory.dmp

                Filesize

                100KB

              • memory/2416-4-0x0000000000400000-0x0000000000419000-memory.dmp

                Filesize

                100KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.