42d4d05163f7215ec7f08dd805458eeb995657f00388550d73597ee79fedc7b9

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe
Size

1.8MB
MD5

3cc8d9f3123b467e96e20389446f6df6
SHA1

ca8f465a80b7a144685d6aec4bb1e463ef4560ba
SHA256

42d4d05163f7215ec7f08dd805458eeb995657f00388550d73597ee79fedc7b9
SHA512

2837a1ab4da588186ebceb49b5a55c654edfb3e39398b3c4ed42ace9c3e5fce91a409aa9a1921e92cd88ef824b92b252eaaef78e02ca65c47d10c49e3e6f3c8f
SSDEEP

49152:Dgq1kMLzrf0SgEm8kG99Yry2cwIDa7CA6xm7I:DPBj0SJVHYryeE8Zs

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2952	a4a24316f9s84dg.exe
2084	8uz301z38783w2d.exe

Loads dropped DLL 3 IoCs

pid	Process
1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe
2952	a4a24316f9s84dg.exe
2952	a4a24316f9s84dg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-20-0x0000000000400000-0x00000000007B0000-memory.dmp	upx
behavioral1/memory/2084-19-0x0000000000400000-0x00000000007B0000-memory.dmp	upx
behavioral1/memory/2084-21-0x0000000000400000-0x00000000007B0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	8uz301z38783w2d.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2952	1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe	30
PID 2952 wrote to memory of 2084	2952	a4a24316f9s84dg.exe	31
PID 2952 wrote to memory of 2084	2952	a4a24316f9s84dg.exe	31
PID 2952 wrote to memory of 2084	2952	a4a24316f9s84dg.exe	31
PID 2952 wrote to memory of 2084	2952	a4a24316f9s84dg.exe	31
PID 2952 wrote to memory of 2084	2952	a4a24316f9s84dg.exe	31
PID 2952 wrote to memory of 2084	2952	a4a24316f9s84dg.exe	31
PID 2952 wrote to memory of 2084	2952	a4a24316f9s84dg.exe	31

C:\Users\Admin\AppData\Local\Temp\3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cc8d9f3123b467e96e20389446f6df6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\a4a24316f9s84dg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a4a24316f9s84dg.exe" -e -pyquc867l6457bj3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\8uz301z38783w2d.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\8uz301z38783w2d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\a4a24316f9s84dg.exe

Filesize
1.8MB

MD5
aceb2d2d8df8245b7fbaeaf10aa581bb

SHA1
07eea8831c6473016d114765e9c41cffc9a5130a

SHA256
d655e784d266d0c1923575bd09eae8f285c8e7aedad16456fed661561bd9e38b

SHA512
6af586b87d62883eda94576c2e87b9c81ffc72258e03826773d7471decd14915f2342085c1aa68a81af4f0045c02f5b495f6661c353586acc0a0b7af85b9c886

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\8uz301z38783w2d.exe

Filesize
2.3MB

MD5
2840af7809c5f80165ef07ac008f0555

SHA1
1458757532b3a4b16d8b175f735b6a771b5e7186

SHA256
d8adee3fa11123d87cf46e5ae166fcadcab01e55ed958052d09d688f64fddaf1

SHA512
10300dbac22ce7972258f5ab5be32466a2279b062a7c577eeb54bab576125e80c98429e0ec2e7207251d16fa3eda15e87ce3fa4dc6a3d0d0a04fdbac95d92245

Download Submit
memory/2084-20-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/2084-19-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/2084-21-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download