f0636d33f7193131fe9d2f3e46187f4be2072025514d6d99d7d152e2b67b511d

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe
Size

75KB
MD5

469c0ab22294610728f1aec8182cb4dc
SHA1

94619a1727fd405e0f676c2b52fbdeb780d7107f
SHA256

f0636d33f7193131fe9d2f3e46187f4be2072025514d6d99d7d152e2b67b511d
SHA512

f86e8d59726bb56f08fdfef96d829afdda250db245da52bdf282c2aba731eb35dabbe962460fe6291f67dcb87fe1bd2e24bb58b1de04aa14908181016ebf9724
SSDEEP

1536:83TMb1FpPtMNBdYjCpl1fnouy8Jz/aFQwXsoFCw:keLpPtyb1PoutpyFQIsaCw

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4564-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4564-11-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3608	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4656	4564	469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe	85
PID 4564 wrote to memory of 4656	4564	469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe	85
PID 4564 wrote to memory of 4656	4564	469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe	85
PID 4656 wrote to memory of 3608	4656	cmd.exe	87
PID 4656 wrote to memory of 3608	4656	cmd.exe	87
PID 4656 wrote to memory of 3608	4656	cmd.exe	87
PID 4656 wrote to memory of 2688	4656	cmd.exe	89
PID 4656 wrote to memory of 2688	4656	cmd.exe	89
PID 4656 wrote to memory of 2688	4656	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AC0F.tmp\FixTools.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3 -w 1 -l 1
    3⤵
    - Runs ping.exe
    PID:3608
- - C:\Windows\SysWOW64\cscript.exe
    cscript ospp.vbs /osppsvcrestart
    3⤵
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AC0F.tmp\FixTools.bat

Filesize
9KB

MD5
993d98530c5d937eab84bcf0c087e2e0

SHA1
f0ddcf2cd650faf32aa113bd3395f1fc8c3380af

SHA256
05e6d5ac6ade7b2186379ae6d8fe10e169d0d2eba6d213d2eecfbc8583a20be8

SHA512
f22a654c602efd97f241994627e553a30108a0ad131c96947367b55483dc28d27f854287548bd76c9f184e0807e86ff512a668f5446027fde4830a657bcf421d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC0F.tmp\ospp.vbs

Filesize
48KB

MD5
572e9a87757ac96c7677fd1b1b113c55

SHA1
9c8b96971997cd2dc0ed14f19dd9bc56d3348c3a

SHA256
008cf05944053116a095ad466561d3fd4be8a7de79e5ada7c5daab492f730465

SHA512
bf670754942cfa839de4a31676a3ba2ac8cd1a00de6f1b70aff995e14a9c489e996e9a019898ec3470a11d02c14ab7a8fe4855a8f028d6b4ea987e51411d7be3

Download Submit
memory/4564-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4564-11-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download