762688ce4388f73a9b5f18a7d76dab08b670902cd1a23a617afaac6af1247dc9

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe
Size

93KB
MD5

33689535d0e26180a21e520c1990ed10
SHA1

a6d1fea6853271413a07cfdc1d00addcd2ad95e1
SHA256

762688ce4388f73a9b5f18a7d76dab08b670902cd1a23a617afaac6af1247dc9
SHA512

cbcc9e501fddb8e2bd9c25122eaae6c295952af1c03e43b5146fcc11952595f1a9f53270b30f410f9e3c60cfb4dc5441b71cb42c74351d49a7dd39a5164bdee8
SSDEEP

1536:QM5GnA60+HQrnIzKYwT93Gm39l+/Llg8ugh0P3APEXhdXa0/nFD3fr:3UnAMQMA5249leu8ughi3APErXa0df

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/552-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/552-3-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/552-4-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Kills process with taskkill 2 IoCs

evasion

pid	Process
4648	taskkill.exe
3876	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4648	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	89
PID 552 wrote to memory of 4648	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	89
PID 552 wrote to memory of 4648	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	89
PID 552 wrote to memory of 1524	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	90
PID 552 wrote to memory of 1524	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	90
PID 552 wrote to memory of 1524	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	90
PID 552 wrote to memory of 1292	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	91
PID 552 wrote to memory of 1292	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	91
PID 552 wrote to memory of 1292	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	91
PID 552 wrote to memory of 4476	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	92
PID 552 wrote to memory of 4476	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	92
PID 552 wrote to memory of 4476	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	92
PID 1524 wrote to memory of 1456	1524	net.exe	97
PID 1524 wrote to memory of 1456	1524	net.exe	97
PID 1524 wrote to memory of 1456	1524	net.exe	97
PID 4476 wrote to memory of 4004	4476	net.exe	98
PID 4476 wrote to memory of 4004	4476	net.exe	98
PID 4476 wrote to memory of 4004	4476	net.exe	98
PID 1292 wrote to memory of 4028	1292	net.exe	99
PID 1292 wrote to memory of 4028	1292	net.exe	99
PID 1292 wrote to memory of 4028	1292	net.exe	99
PID 552 wrote to memory of 3876	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	102
PID 552 wrote to memory of 3876	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	102
PID 552 wrote to memory of 3876	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	102
PID 552 wrote to memory of 1448	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	103
PID 552 wrote to memory of 1448	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	103
PID 552 wrote to memory of 1448	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	103
PID 552 wrote to memory of 1356	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	104
PID 552 wrote to memory of 1356	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	104
PID 552 wrote to memory of 1356	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	104
PID 552 wrote to memory of 2356	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	105
PID 552 wrote to memory of 2356	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	105
PID 552 wrote to memory of 2356	552	33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe	105
PID 1356 wrote to memory of 4108	1356	net.exe	110
PID 1356 wrote to memory of 4108	1356	net.exe	110
PID 1356 wrote to memory of 4108	1356	net.exe	110
PID 1448 wrote to memory of 880	1448	net.exe	111
PID 1448 wrote to memory of 880	1448	net.exe	111
PID 1448 wrote to memory of 880	1448	net.exe	111
PID 2356 wrote to memory of 4796	2356	net.exe	112
PID 2356 wrote to memory of 4796	2356	net.exe	112
PID 2356 wrote to memory of 4796	2356	net.exe	112

C:\Users\Admin\AppData\Local\Temp\33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33689535d0e26180a21e520c1990ed10_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f -im iamapp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\SysWOW64\net.exe
  net stop "norton antivirus firewall monitor service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "norton antivirus firewall monitor service"
    3⤵
    PID:1456
- C:\Windows\SysWOW64\net.exe
  net stop "mcafee firewall"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcafee firewall"
    3⤵
    PID:4028
- C:\Windows\SysWOW64\net.exe
  net stop "panda firewall service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "panda firewall service"
    3⤵
    PID:4004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f -im iamapp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\SysWOW64\net.exe
  net stop "norton antivirus firewall monitor service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "norton antivirus firewall monitor service"
    3⤵
    PID:880
- C:\Windows\SysWOW64\net.exe
  net stop "mcafee firewall"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mcafee firewall"
    3⤵
    PID:4108
- C:\Windows\SysWOW64\net.exe
  net stop "panda firewall service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "panda firewall service"
    3⤵
    PID:4796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/552-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/552-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download