1e05158668a8537df55bb75caedf595435ceb582584491970acb7b334977d053

Analysis

max time kernel
21s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
Size

48KB
MD5

34eb1ce08010fa937470b4e84959a7d3
SHA1

4f4993446c981e0701732fbe7ed4dcc13a5a70e4
SHA256

1e05158668a8537df55bb75caedf595435ceb582584491970acb7b334977d053
SHA512

df7122b597004bcac3f43cae7a7928310d82ad7b6f72c135a901a9b759f863780416aa551909861c1d1cc7868823d61328d7e3f13664986bd1e5353d9e864ef0
SSDEEP

768:Ixr+GXjJ+0tggudHCwMpIyh/am29ZMVNKT:CZjJ+0tgfdixpIyhym2n

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2696	ope42F9.exe
2736	ope4358.exe

Loads dropped DLL 7 IoCs

pid	Process
2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016b85-15.dat	upx
behavioral1/memory/2352-17-0x00000000004F0000-0x00000000004FB000-memory.dmp	upx
behavioral1/memory/2736-23-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2232	2696	WerFault.exe	29

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2696	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2696	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2696	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2696	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	29
PID 2696 wrote to memory of 2232	2696	ope42F9.exe	30
PID 2696 wrote to memory of 2232	2696	ope42F9.exe	30
PID 2696 wrote to memory of 2232	2696	ope42F9.exe	30
PID 2696 wrote to memory of 2232	2696	ope42F9.exe	30
PID 2352 wrote to memory of 2736	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2736	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2736	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2736	2352	34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34eb1ce08010fa937470b4e84959a7d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\ope42F9.exe
  "C:\Users\Admin\AppData\Local\Temp\ope42F9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2232
- C:\Users\Admin\AppData\Local\Temp\ope4358.exe
  "C:\Users\Admin\AppData\Local\Temp\ope4358.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ope42F9.exe

Filesize
23KB

MD5
7df2c9d287d9ba94273e88d44f51a67c

SHA1
3c530fa5b468700600c0688f2a36d4794e1509c1

SHA256
b411c05374553088ba0e679be80d226eb828e9c712c61ead398b6b61c4e1f17d

SHA512
95735aa6f829096e969e1feaf90c7bec63f77ad360297c4dc1b439b6282a911ad50077828a0d04546322ef48cf1658c5651f8600b296900db4ce37ef651cf92a

Download Submit
\Users\Admin\AppData\Local\Temp\ope4358.exe

Filesize
9KB

MD5
d1cd032928c0821d383058dafe463040

SHA1
fa7700edc66980aa9c9aa2fc4b08a8eedc671f4f

SHA256
f004851ad5e9464f9cfbe57010e4b9650219edfd28431590f33e5e39d1f0a948

SHA512
299534734287dcb48714d7baebec769488ebd25aca73104c8b5391362865fd451b10f74e02918f95693032dfc0b40e332e9ec60b83cb94b7b2ff7cb0d5a8e838

Download Submit
memory/2352-0-0x0000000000400000-0x000000000040C200-memory.dmp

Filesize
48KB

Download
memory/2352-5-0x00000000023E0000-0x00000000023F5000-memory.dmp

Filesize
84KB

Download
memory/2352-12-0x00000000023E0000-0x00000000023F5000-memory.dmp

Filesize
84KB

Download
memory/2352-17-0x00000000004F0000-0x00000000004FB000-memory.dmp

Filesize
44KB

Download
memory/2352-29-0x00000000023E0000-0x00000000023F5000-memory.dmp

Filesize
84KB

Download
memory/2352-30-0x00000000004F0000-0x00000000004FB000-memory.dmp

Filesize
44KB

Download
memory/2696-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2736-23-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download