f0636d33f7193131fe9d2f3e46187f4be2072025514d6d99d7d152e2b67b511d

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe
Size

75KB
MD5

469c0ab22294610728f1aec8182cb4dc
SHA1

94619a1727fd405e0f676c2b52fbdeb780d7107f
SHA256

f0636d33f7193131fe9d2f3e46187f4be2072025514d6d99d7d152e2b67b511d
SHA512

f86e8d59726bb56f08fdfef96d829afdda250db245da52bdf282c2aba731eb35dabbe962460fe6291f67dcb87fe1bd2e24bb58b1de04aa14908181016ebf9724
SSDEEP

1536:83TMb1FpPtMNBdYjCpl1fnouy8Jz/aFQwXsoFCw:keLpPtyb1PoutpyFQIsaCw

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2548-16-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1428	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1924	2548	469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe	31
PID 2548 wrote to memory of 1924	2548	469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe	31
PID 2548 wrote to memory of 1924	2548	469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe	31
PID 2548 wrote to memory of 1924	2548	469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1428	1924	cmd.exe	32
PID 1924 wrote to memory of 1428	1924	cmd.exe	32
PID 1924 wrote to memory of 1428	1924	cmd.exe	32
PID 1924 wrote to memory of 1428	1924	cmd.exe	32
PID 1924 wrote to memory of 876	1924	cmd.exe	33
PID 1924 wrote to memory of 876	1924	cmd.exe	33
PID 1924 wrote to memory of 876	1924	cmd.exe	33
PID 1924 wrote to memory of 876	1924	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\C429.tmp\FixTools.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3 -w 1 -l 1
    3⤵
    - Runs ping.exe
    PID:1428
- - C:\Windows\SysWOW64\cscript.exe
    cscript ospp.vbs /osppsvcrestart
    3⤵
    PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C429.tmp\FixTools.bat

Filesize
9KB

MD5
993d98530c5d937eab84bcf0c087e2e0

SHA1
f0ddcf2cd650faf32aa113bd3395f1fc8c3380af

SHA256
05e6d5ac6ade7b2186379ae6d8fe10e169d0d2eba6d213d2eecfbc8583a20be8

SHA512
f22a654c602efd97f241994627e553a30108a0ad131c96947367b55483dc28d27f854287548bd76c9f184e0807e86ff512a668f5446027fde4830a657bcf421d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C429.tmp\ospp.vbs

Filesize
48KB

MD5
572e9a87757ac96c7677fd1b1b113c55

SHA1
9c8b96971997cd2dc0ed14f19dd9bc56d3348c3a

SHA256
008cf05944053116a095ad466561d3fd4be8a7de79e5ada7c5daab492f730465

SHA512
bf670754942cfa839de4a31676a3ba2ac8cd1a00de6f1b70aff995e14a9c489e996e9a019898ec3470a11d02c14ab7a8fe4855a8f028d6b4ea987e51411d7be3

Download Submit
memory/2548-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2548-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download