d07a3ca08c9fc3843e8e6c741db577513ff49a863598ce9a32c8199d3017fc64

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
Size

635KB
MD5

471ec7a20d11aab590f65a8c9eb9b8d7
SHA1

9914414aecc15f32d6140bd4aa619f1f89b4e74e
SHA256

d07a3ca08c9fc3843e8e6c741db577513ff49a863598ce9a32c8199d3017fc64
SHA512

6e4c266fcd41c35a24fa7621d85b270355523449276a7ae50adf0ad9af839b0c04761b88302e20710ef4eacc8adec71c401760d111eb13cb371477418e57ab1a
SSDEEP

12288:ahq55VgXogXG0FtX+wDsHEdSoXJaVbXogJG0Ltc71k:ahq55l0OrEdSo5ag0+q

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000016d25-15.dat	acprotect
behavioral1/memory/3024-17-0x0000000074BE0000-0x0000000074BE9000-memory.dmp	acprotect

Loads dropped DLL 5 IoCs

pid	Process
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d25-15.dat	upx
behavioral1/memory/3024-17-0x0000000074BE0000-0x0000000074BE9000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\tkcd = "a8a39fa4"	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2060	3024	471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\471ec7a20d11aab590f65a8c9eb9b8d7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso8F7.tmp\ioSpecial.ini

Filesize
647B

MD5
f8302976c57b8def14a0c528941ffe00

SHA1
26d28a27260cba45097b0c7c9603c6117bfaaca5

SHA256
a8e4dd2e82e101fca30e58777f8d0029a4054e82a3c8f73b97018200dc4193e4

SHA512
64182579bfccbbddc06fed38721d0283688f1fd49b011522c9c846b8ab8159f94a18db3529241dae3103215087eecff096f9df0c71a90d6a763c79abed407ac9

Download Submit
\Users\Admin\AppData\Local\Temp\nso8F7.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nso8F7.tmp\SelfDel.dll

Filesize
4KB

MD5
7cff7fe2caea5184d98c147e7e263132

SHA1
21f39d3d0dd5f7198d67ef30e95d10ae3460093e

SHA256
281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

SHA512
fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

Download Submit
\Users\Admin\AppData\Local\Temp\nso8F7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso8F7.tmp\nsProcEx.dll

Filesize
24KB

MD5
0216cab025a4ea223141f66cbe14ccaf

SHA1
b08b563d5fd794e17208912e8237c961bca5516f

SHA256
c5c30c304347226e4ae6b758ba6ba0589cf1c0aee55886c4354859088bf88cf7

SHA512
e870aa7381e459e4114529efbfe0a354216b8e846c7c60e550749c6c625b98f8633da5e30192737a5f65de387f9497eebaf6502615cbb6fa16da5b8c5574207a

Download Submit
\Users\Admin\AppData\Local\Temp\nso8F7.tmp\winscrs.dll

Filesize
380KB

MD5
aba9373b88d323528199356d0e3e6ac3

SHA1
d409ffef8a2e9de8c02950c505d6df4e8be48048

SHA256
a395a9f9e744a9032635f6db7a037c446568adb673130ef442f804aef26f458d

SHA512
0ffad45fb8971e4e71fe8baf053d6b99e27a277269345668cdf4c0ce87093e9c779dec8682a84393a4c9a175206c25c276f86c39e76ef14ca18e837b66c340d0

Download Submit
memory/3024-17-0x0000000074BE0000-0x0000000074BE9000-memory.dmp

Filesize
36KB

Download
memory/3024-22-0x0000000002670000-0x00000000026D3000-memory.dmp

Filesize
396KB

Download