Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 14:34

General

  • Target

    3986fe8863635ff9127f820492d39203_JaffaCakes118.exe

  • Size

    387KB

  • MD5

    3986fe8863635ff9127f820492d39203

  • SHA1

    8cc9a140a377c67394030fe23f0fa599eb42a156

  • SHA256

    d690938d9f658b2eee47dad5223f18fe3df173174589828bb52179d34a154437

  • SHA512

    abb8858a41fd06634a41d5b6a8e99da08be68b08eb8bbf91998350de7e314505ca2e2469f185c71503998ad69fc0133d5bd59236416a2d98b08c3ac6f8bedc23

  • SSDEEP

    6144:3jOj8iZWIMWWNUar3lc7UCvFzBNzGZwUMDBwCEwZF0PcZfzUNlGq4do2:3uZWBFjlc7UCvBBN6ZwUMDCvrQzU/3I

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3986fe8863635ff9127f820492d39203_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3986fe8863635ff9127f820492d39203_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\ProgramData\iM06509AeBnN06509\iM06509AeBnN06509.exe
      "C:\ProgramData\iM06509AeBnN06509\iM06509AeBnN06509.exe" "C:\Users\Admin\AppData\Local\Temp\3986fe8863635ff9127f820492d39203_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\iM06509AeBnN06509\iM06509AeBnN06509

    Filesize

    192B

    MD5

    4052002b0cfe784865ab01a5d204aaca

    SHA1

    476f7f1af4e5609022f2e33726d9ac007a1a781b

    SHA256

    e5560b8fad3a88d34f581f56990ff22f4c5dfff9512a4c1e427578f242d3696f

    SHA512

    8a2f3556ef9903d6c7ec575682ae6d791ec4026c47eacb115f1cc9574f558ef7f3fb58d95654cfa5d80e7ed48dd34f88bb90caa2913a3319f1822b8b89f7f664

  • \ProgramData\iM06509AeBnN06509\iM06509AeBnN06509.exe

    Filesize

    387KB

    MD5

    077b57655dbe3cd151ae1a207fdca09c

    SHA1

    fed82ae5e189f03912e3559aeadb3e3588725e59

    SHA256

    6d2a36a4692009c821a2accbacb5758a00aee1036a80760789b07a8cbd0a0e7f

    SHA512

    84c13ada6f9443149eb4894963d0de46bcb1e982645e663a0c3e30651998fa7ecc58f8b2811d7876a25dd6c3affb3e16a83b2bb51d3a8fd3be8b620e5456b41d

  • memory/1824-0-0x0000000000230000-0x0000000000233000-memory.dmp

    Filesize

    12KB

  • memory/1824-1-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

  • memory/1824-17-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

  • memory/3032-19-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

  • memory/3032-25-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

  • memory/3032-29-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

  • memory/3032-38-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB