9eb0bad5d55e2f6e53656993a79d4e32d6bd70b4163f0b6870b2920bb5f3beeb

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 07:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

382a623b6658176667c45cf017548cba_JaffaCakes118.exe
Size

839KB
MD5

382a623b6658176667c45cf017548cba
SHA1

a4d02efebfd32286d6b555fc85f514dc935ba286
SHA256

9eb0bad5d55e2f6e53656993a79d4e32d6bd70b4163f0b6870b2920bb5f3beeb
SHA512

aa6b79bbdc5788a021f3fb38b563f69477b7f53bc272f4b72faf421afe54616fd6ae7be99332d72858c47969edf0bc13f623dfb4acd722e4ed15d8ddc382d066
SSDEEP

12288:Ighm8FELJ17wCpNPjIqxuuECGDUg8Zy/cLONpB6v:Ikm8eHLO7Bu

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1356-0-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/memory/1356-32-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/files/0x00080000000162ed-36.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1808	reg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 1356 wrote to memory of 3032	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2796	3032	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	31
PID 3032 wrote to memory of 2796	3032	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	31
PID 3032 wrote to memory of 2796	3032	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	31
PID 3032 wrote to memory of 2796	3032	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	31
PID 1356 wrote to memory of 2820	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2820	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2820	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	33
PID 1356 wrote to memory of 2820	1356	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	33
PID 2796 wrote to memory of 1808	2796	cmd.exe	35
PID 2796 wrote to memory of 1808	2796	cmd.exe	35
PID 2796 wrote to memory of 1808	2796	cmd.exe	35
PID 2796 wrote to memory of 1808	2796	cmd.exe	35
PID 2796 wrote to memory of 2852	2796	cmd.exe	36
PID 2796 wrote to memory of 2852	2796	cmd.exe	36
PID 2796 wrote to memory of 2852	2796	cmd.exe	36
PID 2796 wrote to memory of 2852	2796	cmd.exe	36
PID 2796 wrote to memory of 2852	2796	cmd.exe	36
PID 2796 wrote to memory of 2852	2796	cmd.exe	36
PID 2796 wrote to memory of 2852	2796	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:1808
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
305B

MD5
7c9b1ae619f1dec9f160d4782fc7676f

SHA1
2e08844997427afcf7e4b6fbb888983e88f9096f

SHA256
3d598e9af59166895dd9929a028a6b1dd3915a8df53a3903fcbb80764be119d9

SHA512
354a045bac432253b62eb425839515c74e59f6960e85106fefc7d751c6b3b8274693266d36952bf8efc9cfabdebc4eca4ffd58f45ead11b7ea7009e80a31e107

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
839KB

MD5
2cbc7d9277d1528ab9f877048effe07e

SHA1
0968dea35ad99bc815edacf8b39bc75e5caa4eee

SHA256
85c6b402d22ce1ff31d89d79ffd7418f5ebfce8bc3c84fc6e43e49e974703bda

SHA512
e63f93f3cb1f35d92f802b8cea3bc091a3a133b910e03885891c5deac6ba71953e4a6bcffcd98ff10b241a59779b10809513c86b8a7bfd3a05e42e70f6cdfb96

Download Submit
memory/1356-32-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1356-33-0x0000000002210000-0x00000000022E3000-memory.dmp

Filesize
844KB

Download
memory/1356-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1356-12-0x0000000002210000-0x00000000022E3000-memory.dmp

Filesize
844KB

Download
memory/3032-22-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3032-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-1-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download