762688ce4388f73a9b5f18a7d76dab08b670902cd1a23a617afaac6af1247dc9

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe
Size

93KB
MD5

33689535d0e26180a21e520c1990ed10
SHA1

a6d1fea6853271413a07cfdc1d00addcd2ad95e1
SHA256

762688ce4388f73a9b5f18a7d76dab08b670902cd1a23a617afaac6af1247dc9
SHA512

cbcc9e501fddb8e2bd9c25122eaae6c295952af1c03e43b5146fcc11952595f1a9f53270b30f410f9e3c60cfb4dc5441b71cb42c74351d49a7dd39a5164bdee8
SSDEEP

1536:QM5GnA60+HQrnIzKYwT93Gm39l+/Llg8ugh0P3APEXhdXa0/nFD3fr:3UnAMQMA5249leu8ughi3APErXa0df

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2416-3-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2416-4-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Kills process with taskkill 2 IoCs

evasion

pid	Process
2788	taskkill.exe
2064	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2064	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2788	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2788	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2788	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2788	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2836	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2836	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2836	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2836	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2772	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2772	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2772	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2772	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2684	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2684	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2684	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2684	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	36
PID 2836 wrote to memory of 2696	2836	net.exe	39
PID 2836 wrote to memory of 2696	2836	net.exe	39
PID 2836 wrote to memory of 2696	2836	net.exe	39
PID 2836 wrote to memory of 2696	2836	net.exe	39
PID 2772 wrote to memory of 2396	2772	net.exe	40
PID 2772 wrote to memory of 2396	2772	net.exe	40
PID 2772 wrote to memory of 2396	2772	net.exe	40
PID 2772 wrote to memory of 2396	2772	net.exe	40
PID 2684 wrote to memory of 2704	2684	net.exe	41
PID 2684 wrote to memory of 2704	2684	net.exe	41
PID 2684 wrote to memory of 2704	2684	net.exe	41
PID 2684 wrote to memory of 2704	2684	net.exe	41
PID 2416 wrote to memory of 2064	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	43
PID 2416 wrote to memory of 2064	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	43
PID 2416 wrote to memory of 2064	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	43
PID 2416 wrote to memory of 2064	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	43
PID 2416 wrote to memory of 1576	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	44
PID 2416 wrote to memory of 1576	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	44
PID 2416 wrote to memory of 1576	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	44
PID 2416 wrote to memory of 1576	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	44
PID 2416 wrote to memory of 540	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	46
PID 2416 wrote to memory of 540	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	46
PID 2416 wrote to memory of 540	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	46
PID 2416 wrote to memory of 540	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	46
PID 2416 wrote to memory of 2020	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	49
PID 2416 wrote to memory of 2020	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	49
PID 2416 wrote to memory of 2020	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	49
PID 2416 wrote to memory of 2020	2416	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	49
PID 1576 wrote to memory of 2248	1576	net.exe	51
PID 1576 wrote to memory of 2248	1576	net.exe	51
PID 1576 wrote to memory of 2248	1576	net.exe	51
PID 1576 wrote to memory of 2248	1576	net.exe	51
PID 540 wrote to memory of 1964	540	net.exe	52
PID 540 wrote to memory of 1964	540	net.exe	52
PID 540 wrote to memory of 1964	540	net.exe	52
PID 540 wrote to memory of 1964	540	net.exe	52
PID 2020 wrote to memory of 2260	2020	net.exe	53
PID 2020 wrote to memory of 2260	2020	net.exe	53
PID 2020 wrote to memory of 2260	2020	net.exe	53
PID 2020 wrote to memory of 2260	2020	net.exe	53

C:\Users\Admin\AppData\Local\Temp\33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f -im iamapp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\net.exe
  net stop "norton antivirus firewall monitor service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "norton antivirus firewall monitor service"
    3⤵
    PID:2696
- C:\Windows\SysWOW64\net.exe
  net stop "mcafee firewall"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcafee firewall"
    3⤵
    PID:2396
- C:\Windows\SysWOW64\net.exe
  net stop "panda firewall service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "panda firewall service"
    3⤵
    PID:2704
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f -im iamapp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\SysWOW64\net.exe
  net stop "norton antivirus firewall monitor service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "norton antivirus firewall monitor service"
    3⤵
    PID:2248
- C:\Windows\SysWOW64\net.exe
  net stop "mcafee firewall"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcafee firewall"
    3⤵
    PID:1964
- C:\Windows\SysWOW64\net.exe
  net stop "panda firewall service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "panda firewall service"
    3⤵
    PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2416-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2416-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download