356356040f0850885429cd2f8c95488416ead2cbb824ddec4548791574d06f51

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe
Size

43KB
MD5

3b55741f5f7c23175c9e74021172c08d
SHA1

b96bed86e6ad42bcc4b856bcac4a514d6c665dd4
SHA256

356356040f0850885429cd2f8c95488416ead2cbb824ddec4548791574d06f51
SHA512

29b6c2902aeedd9e9c30c524f1f6ef3d7f3d222992ae24b9a495bec33c107a0cfa36b367a42f6f53b60292da2c48cc211a6d42edf2477ed31043436cc2614190
SSDEEP

768:uMoFJl5/ija+1Im1+B3HTe71vuRWIbwacYD9kFF4X4J4imqq/uuHtI:VoFJy+5HTe71vusIkrY24oJ40yuuNI

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00090000000234ad-7.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4760	SysDlMu.exe

Loads dropped DLL 2 IoCs

pid	Process
4760	SysDlMu.exe
4760	SysDlMu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234ad-7.dat	upx
behavioral2/memory/4760-11-0x0000000000580000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/4760-17-0x0000000000580000-0x0000000000594000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysDlMu.exe	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe
File opened for modification	C:\Windows\NTDLMu.DLL	SysDlMu.exe
File created	C:\Windows\NTDLMu.DLL	SysDlMu.exe
File opened for modification	C:\Windows\SysDlMu.exe	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeBackupPrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe
Token: SeRestorePrivilege	4760	SysDlMu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4760	SysDlMu.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 4760	628	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	84
PID 628 wrote to memory of 4760	628	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	84
PID 628 wrote to memory of 4760	628	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	84
PID 628 wrote to memory of 4224	628	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	87
PID 628 wrote to memory of 4224	628	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	87
PID 628 wrote to memory of 4224	628	3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b55741f5f7c23175c9e74021172c08d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysDlMu.exe
  C:\Windows\SysDlMu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Deleteme.bat
  2⤵
  PID:4224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

Filesize
212B

MD5
2c18c1fb43011743f4b1c9cee2d882a5

SHA1
45432a2a61c087a7091343ceb5a6995003849013

SHA256
2727a431aad943d8ebcc1e41356fee223d66d14b6467b0f1614307f5742dd7c8

SHA512
d253b2c55197adef2d7a9d40ae97f3e87bb97112f339226cded0d897db484aa3619138488bdfeefd7f66fc5644b4b96af485a4bb8829ac528502a7ef479b9587

Download Submit
C:\Windows\NTDLMu.DLL

Filesize
17KB

MD5
4fcee96dad62e254fcb1174edf71e1b4

SHA1
e9abf19680a386b6762d4df4aeca16f1c22d8187

SHA256
5cc46df1fb17e56b1ba8fa6689309a81b8c74d44707c7a0e175262ced453cc67

SHA512
88ab0f9c4f419694df804d0224aa3b89a12c6caf41e619e6a69df59ef05c597f45da3b77fd4cd7dabc5e7f3b2dc0e01463612a7a2f99890b17556505fb060d65

Download Submit
C:\Windows\SysDlMu.exe

Filesize
43KB

MD5
3b55741f5f7c23175c9e74021172c08d

SHA1
b96bed86e6ad42bcc4b856bcac4a514d6c665dd4

SHA256
356356040f0850885429cd2f8c95488416ead2cbb824ddec4548791574d06f51

SHA512
29b6c2902aeedd9e9c30c524f1f6ef3d7f3d222992ae24b9a495bec33c107a0cfa36b367a42f6f53b60292da2c48cc211a6d42edf2477ed31043436cc2614190

Download Submit
memory/628-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4760-11-0x0000000000580000-0x0000000000594000-memory.dmp

Filesize
80KB

Download
memory/4760-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4760-17-0x0000000000580000-0x0000000000594000-memory.dmp

Filesize
80KB

Download