9374b8a2267154c59fd7389bd5520510617c4bdf4357f2ad5b2c32ae1c52a2f2

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Size

1.1MB
MD5

38e2363aba9431952826f6220ef5a28b
SHA1

79f95c14ac20ed9a1181d054f83f99805a593006
SHA256

9374b8a2267154c59fd7389bd5520510617c4bdf4357f2ad5b2c32ae1c52a2f2
SHA512

9ccf5c3a0315197b9413b842a3aad74074d8283ffd08e0e863546aeb27d8b6a8427c2f26f694f933924d62881ca284b32c847f143d96c38989422db4e25b3934
SSDEEP

24576:gdoOXm9XYyfakppqoSvMsSgvcfRjI/IT/bKJq+ax:M1yiGpqgsS1RVqJk

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1728	Server crypted.exe

Loads dropped DLL 3 IoCs

pid	Process
2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
1728	Server crypted.exe
1728	Server crypted.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-54-0x0000000000400000-0x00000000004DC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: 33	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: 33	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: 33	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: 33	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Token: 33	1728	Server crypted.exe
Token: SeIncBasePriorityPrivilege	1728	Server crypted.exe
Token: 33	1728	Server crypted.exe
Token: SeIncBasePriorityPrivilege	1728	Server crypted.exe
Token: 33	1728	Server crypted.exe
Token: SeIncBasePriorityPrivilege	1728	Server crypted.exe
Token: 33	1728	Server crypted.exe
Token: SeIncBasePriorityPrivilege	1728	Server crypted.exe
Token: SeDebugPrivilege	1728	Server crypted.exe
Token: 33	1728	Server crypted.exe
Token: SeIncBasePriorityPrivilege	1728	Server crypted.exe
Token: 33	1728	Server crypted.exe
Token: SeIncBasePriorityPrivilege	1728	Server crypted.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1728	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe	30
PID 2560 wrote to memory of 1728	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe	30
PID 2560 wrote to memory of 1728	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe	30
PID 2560 wrote to memory of 1728	2560	38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe	30
PID 1728 wrote to memory of 992	1728	Server crypted.exe	31
PID 1728 wrote to memory of 992	1728	Server crypted.exe	31
PID 1728 wrote to memory of 992	1728	Server crypted.exe	31
PID 1728 wrote to memory of 992	1728	Server crypted.exe	31
PID 1728 wrote to memory of 1548	1728	Server crypted.exe	32
PID 1728 wrote to memory of 1548	1728	Server crypted.exe	32
PID 1728 wrote to memory of 1548	1728	Server crypted.exe	32
PID 1728 wrote to memory of 1548	1728	Server crypted.exe	32

C:\Users\Admin\AppData\Local\Temp\38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Server crypted.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe
    "Server crypted.exe"
    3⤵
    PID:992
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe
    "Server crypted.exe"
    3⤵
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe

Filesize
17KB

MD5
330ef6ca142cd3c1935bb0a68f5e2618

SHA1
fe2aa356fbcfa656c3518c20f06ff6d04991f0dd

SHA256
3357279b9d1694848577d6e0573720d841b2c81cd5a40cbe5d905068180a6a91

SHA512
7a0ab2e73640f886a06c923184dd4223d1d1897e97221b74e469bd5deb144535991bdde135f02fe80e1a3df52808450ba3712e49ea9ea8a343067425c458ddf3

Download Submit
memory/2560-41-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-54-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2560-212-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-205-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-197-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-191-0x0000000077A90000-0x0000000077A91000-memory.dmp

Filesize
4KB

Download
memory/2560-177-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-133-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-108-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-87-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-67-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-64-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-60-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-35-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-53-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-37-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-52-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-49-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-47-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-45-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-43-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-62-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-211-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-40-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-57-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-33-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-31-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-29-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-27-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-25-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-23-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-21-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-19-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-17-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-15-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-13-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-11-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-9-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-7-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-5-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-3-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-1-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-0-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-189-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2560-616-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download