9eb0bad5d55e2f6e53656993a79d4e32d6bd70b4163f0b6870b2920bb5f3beeb

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 07:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

382a623b6658176667c45cf017548cba_JaffaCakes118.exe
Size

839KB
MD5

382a623b6658176667c45cf017548cba
SHA1

a4d02efebfd32286d6b555fc85f514dc935ba286
SHA256

9eb0bad5d55e2f6e53656993a79d4e32d6bd70b4163f0b6870b2920bb5f3beeb
SHA512

aa6b79bbdc5788a021f3fb38b563f69477b7f53bc272f4b72faf421afe54616fd6ae7be99332d72858c47969edf0bc13f623dfb4acd722e4ed15d8ddc382d066
SSDEEP

12288:Ighm8FELJ17wCpNPjIqxuuECGDUg8Zy/cLONpB6v:Ikm8eHLO7Bu

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5040-0-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/memory/5040-13-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral2/files/0x000800000002347a-16.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5040 set thread context of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4416	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84
PID 5040 wrote to memory of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84
PID 5040 wrote to memory of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84
PID 5040 wrote to memory of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84
PID 5040 wrote to memory of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84
PID 5040 wrote to memory of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84
PID 5040 wrote to memory of 3992	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	84
PID 3992 wrote to memory of 4640	3992	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	85
PID 3992 wrote to memory of 4640	3992	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	85
PID 3992 wrote to memory of 4640	3992	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	85
PID 5040 wrote to memory of 2828	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	87
PID 5040 wrote to memory of 2828	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	87
PID 5040 wrote to memory of 2828	5040	382a623b6658176667c45cf017548cba_JaffaCakes118.exe	87
PID 4640 wrote to memory of 4416	4640	cmd.exe	89
PID 4640 wrote to memory of 4416	4640	cmd.exe	89
PID 4640 wrote to memory of 4416	4640	cmd.exe	89
PID 4640 wrote to memory of 1560	4640	cmd.exe	90
PID 4640 wrote to memory of 1560	4640	cmd.exe	90
PID 4640 wrote to memory of 1560	4640	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\382a623b6658176667c45cf017548cba_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:4416
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
305B

MD5
7c9b1ae619f1dec9f160d4782fc7676f

SHA1
2e08844997427afcf7e4b6fbb888983e88f9096f

SHA256
3d598e9af59166895dd9929a028a6b1dd3915a8df53a3903fcbb80764be119d9

SHA512
354a045bac432253b62eb425839515c74e59f6960e85106fefc7d751c6b3b8274693266d36952bf8efc9cfabdebc4eca4ffd58f45ead11b7ea7009e80a31e107

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
839KB

MD5
9fa82ff5ea5f36db7f3b1563626f0db9

SHA1
a2ddfc37ad902b21c6abdd36fb69a948a90a8e6c

SHA256
3c1490c0ec1646c97722fb712cd4adc43595aa91a499d7ac457bce7c24004182

SHA512
96e27e553614d54efa47565caf2ed657d421ddfd1e535fd0a26b579d102ce335168963777f6510ceb7d3d6ee735fecc9aa8054ab0578fa07293d42e1a7d0b23b

Download Submit
memory/3992-1-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3992-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3992-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3992-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5040-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/5040-13-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download