8e71dbe444f3ccaefab6b72d6579f22d1d106cd3d8835d470aa5c59e65cba561

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4362cc8cefb46d978dc2f77ba4a8242f_JaffaCakes118.exe
Size

21KB
MD5

4362cc8cefb46d978dc2f77ba4a8242f
SHA1

da315081572b641bb33e3c6b16dbf27f2d519735
SHA256

8e71dbe444f3ccaefab6b72d6579f22d1d106cd3d8835d470aa5c59e65cba561
SHA512

d975b7ec51ae524f78dff1b9de932795f4ab678e3c6ce2a92d556c4c08a379a7f9e047295cb40208e6997e7b1d15d897cad8ee41532edce5874b2ad4d4c50819
SSDEEP

384:XGB8vObTLtDC0OMQKJQSUPp+XLPfYHJg3kskbfqowkPg8PAIcoZ2hTj:w8oLxNMdSM+XLOg3Rk2oYeAIcb5

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2408-4-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2764	2408	4362cc8cefb46d978dc2f77ba4a8242f_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2764	2408	4362cc8cefb46d978dc2f77ba4a8242f_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2764	2408	4362cc8cefb46d978dc2f77ba4a8242f_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2764	2408	4362cc8cefb46d978dc2f77ba4a8242f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\4362cc8cefb46d978dc2f77ba4a8242f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4362cc8cefb46d978dc2f77ba4a8242f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
238B

MD5
e4de03faee62e0c38b587a5b53aaa223

SHA1
e2b7985523290da494cd57d99a19c2734bec670a

SHA256
8230604d14bd466d659b6280037fcf1381f4d08fc93270ee37c4d3e10f6a57d6

SHA512
a3e917c841a61fc26dc2ec964cf05b8747e75b40a0524dddf4541c65830eb334792b19fb3fc70587fccd1944c6e8789686f021a58b3ab2134a7c5983622d2c01

Download Submit
memory/2408-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2408-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2408-4-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download