5b8249fca812e9a32f74ec771bb285f0f55a9a41c7779f9bc82a2f1d240e46d3

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
Size

364KB
MD5

43e498b7ea8da48fa361968ddf376637
SHA1

cbb0714cde994055ac130524c8ebf7141d8b224c
SHA256

5b8249fca812e9a32f74ec771bb285f0f55a9a41c7779f9bc82a2f1d240e46d3
SHA512

bbc49717711e5a4ef377325c85a8351d9c12a3d3f3b7a3dde273ba9764d6f4181f2499801cff078238067199ca0090814f3299a090ecbdc8734e7bcb2a4d9692
SSDEEP

6144:iiRV+qT5KYaGySK87aog7NTOog89WA8CcPTHhBjLX0/6ql/JqpHq:iiCi5KYaGTaoye885CSThzq

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4112	hGa01808bKoEe01808.exe

Executes dropped EXE 2 IoCs

pid	Process
1796	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1168-2-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/1168-1-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/1796-16-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/1796-22-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/1168-24-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/1168-25-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/4112-27-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/4112-34-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral2/memory/4112-41-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hGa01808bKoEe01808 = "C:\\ProgramData\\hGa01808bKoEe01808\\hGa01808bKoEe01808.exe"	hGa01808bKoEe01808.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1796	hGa01808bKoEe01808.exe
1796	hGa01808bKoEe01808.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1796	hGa01808bKoEe01808.exe
1796	hGa01808bKoEe01808.exe
1796	hGa01808bKoEe01808.exe
1796	hGa01808bKoEe01808.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
Token: SeDebugPrivilege	1796	hGa01808bKoEe01808.exe
Token: SeDebugPrivilege	4112	hGa01808bKoEe01808.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4112	hGa01808bKoEe01808.exe
4112	hGa01808bKoEe01808.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1796	1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	85
PID 1168 wrote to memory of 1796	1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	85
PID 1168 wrote to memory of 1796	1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	85
PID 1168 wrote to memory of 4112	1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	87
PID 1168 wrote to memory of 4112	1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	87
PID 1168 wrote to memory of 4112	1168	43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\ProgramData\hGa01808bKoEe01808\hGa01808bKoEe01808.exe
  "C:\ProgramData\hGa01808bKoEe01808\hGa01808bKoEe01808.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\ProgramData\hGa01808bKoEe01808\hGa01808bKoEe01808.exe
  "C:\ProgramData\hGa01808bKoEe01808\hGa01808bKoEe01808.exe" "C:\Users\Admin\AppData\Local\Temp\43e498b7ea8da48fa361968ddf376637_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hGa01808bKoEe01808\hGa01808bKoEe01808

Filesize
192B

MD5
b609a57de6f24524f73c1e3eabe1ba8d

SHA1
76c918da6eac0db801fddc3c34346fc8adbd09ba

SHA256
1f366799ca4026f092f8c31a42def568115b1f7ec8d0f8ad1c2825d30a15bf9f

SHA512
e80ab8bdb9b935bd6e022375a76ab07d674888a6467a1f403eb16711c6f9180af72c634a27441b1e1ffd41887e1ff3b169c370776b44230673aad9abfc20e2c7

Download Submit
C:\ProgramData\hGa01808bKoEe01808\hGa01808bKoEe01808.exe

Filesize
364KB

MD5
a88267d7c1bf8693ad6eee62c8cbd4cd

SHA1
2671cd0a1cd82608165e5a9209904afa91b63e05

SHA256
db990bccc359b7c84a69214ac66bf663c16a954b4c31595a76e6396da9a13680

SHA512
58ad2a31de00385b435e8bc02f539bb9626c5d94636ac9a39dd255048a6e902530c7efde45b255fabdbb971c6ccb7d0f3f49d3ff6a5e424195c48fcfd73d31e2

Download Submit
memory/1168-2-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1168-1-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1168-24-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1168-25-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1796-16-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1796-15-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1796-22-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4112-27-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4112-34-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4112-41-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download