1c2e0bbf28025f30da320ddcca6edc1da4bc30034dc07f132ba607e7b9d95b8e

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe
Size

456KB
MD5

44ccf62482390166321db6f2f0c9b69d
SHA1

ecdd1630c8ac2c534a72cbc1a8359cb2c63d7649
SHA256

1c2e0bbf28025f30da320ddcca6edc1da4bc30034dc07f132ba607e7b9d95b8e
SHA512

fbf1992dc209acab72e5e8a742c941713f064c35f75dcef17e5e952c5d796c194e4b95fcc9fd629cbeac2a66857386d4a9d48dc5f7e45c9bcf9539eaba0f361c
SSDEEP

6144:BWvNRmarSQuLY/pqkqeWAp4zJluQisusBV4brups/OhiFL6O8umMlUAFs2VLFWeK:cSaupYBxq2CVcQi/is6XjAFs2VLFg

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4756	aC00000FhAdN00000.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	aC00000FhAdN00000.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2256-2-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2256-14-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/2256-15-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral2/memory/4756-17-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4756-25-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4756-29-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aC00000FhAdN00000 = "C:\\ProgramData\\aC00000FhAdN00000\\aC00000FhAdN00000.exe"	aC00000FhAdN00000.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	4756	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe
2256	44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe
4756	aC00000FhAdN00000.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe
Token: SeDebugPrivilege	4756	aC00000FhAdN00000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 4756	2256	44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe	86
PID 2256 wrote to memory of 4756	2256	44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe	86
PID 2256 wrote to memory of 4756	2256	44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\ProgramData\aC00000FhAdN00000\aC00000FhAdN00000.exe
  "C:\ProgramData\aC00000FhAdN00000\aC00000FhAdN00000.exe" "C:\Users\Admin\AppData\Local\Temp\44ccf62482390166321db6f2f0c9b69d_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 1252
    3⤵
    - Program crash
    PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4756 -ip 4756
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aC00000FhAdN00000\aC00000FhAdN00000.exe

Filesize
456KB

MD5
2673fa4ffb78ca3dbf727574fe2881d6

SHA1
c3799c302afa79d41f097e368dcd4eeff9fbfccc

SHA256
da6977352fb866836f605ec7198bd08561aebc8cbde9a837045b6243aa74a293

SHA512
a6c24ffc84633d4080472b069fe0071db84dd1b6d4416dcf1bfaa4aa60807ba07c93955503dec6d6308e6532ca6e4ce61db4d15614a5ba7f9fc5bb619245b142

Download Submit
memory/2256-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2256-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2256-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2256-15-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4756-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4756-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4756-29-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download