5b8249fca812e9a32f74ec771bb285f0f55a9a41c7779f9bc82a2f1d240e46d3

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
Size

364KB
MD5

43e498b7ea8da48fa361968ddf376637
SHA1

cbb0714cde994055ac130524c8ebf7141d8b224c
SHA256

5b8249fca812e9a32f74ec771bb285f0f55a9a41c7779f9bc82a2f1d240e46d3
SHA512

bbc49717711e5a4ef377325c85a8351d9c12a3d3f3b7a3dde273ba9764d6f4181f2499801cff078238067199ca0090814f3299a090ecbdc8734e7bcb2a4d9692
SSDEEP

6144:iiRV+qT5KYaGySK87aog7NTOog89WA8CcPTHhBjLX0/6ql/JqpHq:iiCi5KYaGTaoye885CSThzq

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	mFl01808gIgFm01808.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe

Loads dropped DLL 4 IoCs

pid	Process
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2280-1-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2280-2-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2200-19-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2280-29-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2280-30-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2532-33-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2532-34-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2200-41-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2532-42-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2532-51-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mFl01808gIgFm01808 = "C:\\ProgramData\\mFl01808gIgFm01808\\mFl01808gIgFm01808.exe"	mFl01808gIgFm01808.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	mFl01808gIgFm01808.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2200	mFl01808gIgFm01808.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2200	mFl01808gIgFm01808.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2200	mFl01808gIgFm01808.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2200	mFl01808gIgFm01808.exe
2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
2200	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2200	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
Token: SeDebugPrivilege	2200	mFl01808gIgFm01808.exe
Token: SeDebugPrivilege	2532	mFl01808gIgFm01808.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2532	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2532	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	mFl01808gIgFm01808.exe
2532	mFl01808gIgFm01808.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2200	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2200	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2200	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2200	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2532	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	32
PID 2280 wrote to memory of 2532	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	32
PID 2280 wrote to memory of 2532	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	32
PID 2280 wrote to memory of 2532	2280	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\ProgramData\mFl01808gIgFm01808\mFl01808gIgFm01808.exe
  "C:\ProgramData\mFl01808gIgFm01808\mFl01808gIgFm01808.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\ProgramData\mFl01808gIgFm01808\mFl01808gIgFm01808.exe
  "C:\ProgramData\mFl01808gIgFm01808\mFl01808gIgFm01808.exe" "C:\Users\Admin\AppData\Local\Temp\43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mFl01808gIgFm01808\mFl01808gIgFm01808

Filesize
192B

MD5
5d6f864c90ce09f2e9ae6c7c64e46ef9

SHA1
9d590aa0cc40479ef55dc46c40ff808e851fbde1

SHA256
d151444f93e057487bf8ed2ebfae599673fcf3d308d50a75a9575021dd1c04ca

SHA512
8ed065eef47191db346d3b405e018a15cc43974265d9fc6d353968a803a393fb6036223735f2abc71d9fef926ddfc0ae4a8f31841400bf7836777ee7723e6d3e

Download Submit
C:\ProgramData\mFl01808gIgFm01808\mFl01808gIgFm01808

Filesize
192B

MD5
4948aa2672a23b34ff32d694b78da49e

SHA1
d37460a3dae2f4ffe25a1b9c8bcae354d4d524e0

SHA256
09ed276f655a583699e5565dfeeb4fb709b630770bbe53dd4e978fcee61c55c1

SHA512
6de84288ec2bf6fcba24a8e144076129356b7d2826f03b05740ed9e3652c417f382a7377e5d03e86c229ad7045a3e02b47cae133ac41f5d12f7b0bf5ed06469f

Download Submit
\ProgramData\mFl01808gIgFm01808\mFl01808gIgFm01808.exe

Filesize
364KB

MD5
ecc72b449427a7963dc25163f4440d87

SHA1
417c14bdbe4538a47fbb9975c78b6883e5604d1c

SHA256
d2dec4246d7b3bf6de11a33563f6f80d21532addcfa5818838ce8ae5b86d7523

SHA512
2128db14b15cb19ceaf9d2ff58541dc47aa0dfb06b14f2dfdb0cf489fa102d752536f1b1875500e2f0ad59f6d2dd85899ca5cea70b01b6e3334b8d0e28aa0df9

Download Submit
memory/2200-19-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2200-41-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2280-1-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2280-29-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2280-30-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2280-2-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2532-33-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2532-34-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2532-42-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2532-51-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download