97b6ffbc2665658cfed89db2f10ecdf92821220ffd956e815b698f9bf0e6b20d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 22:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe
Size

13KB
MD5

4bac5354361f6c12ff5dde774c41b40b
SHA1

1df8b0221aafe91c27e45b6b06aa365874ce3702
SHA256

97b6ffbc2665658cfed89db2f10ecdf92821220ffd956e815b698f9bf0e6b20d
SHA512

8628ec20bee151ac8abb1b51c5848b27a63dd952763f404637caf80fac766d6e37dda171a653b7686ab7deaa18464785ae004ea1b0d926009810e115d714acab
SSDEEP

192:Ry+1caixqbgVoV1nO7CvIZcPZbvKZpJ1nyTC1tPPPziafROFrqjC2AbRi5m/lh02:I+PV82OiIZcPZyfnN11Sv4+h0jzMsa

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
1848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2540	meyotmek.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe
3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3032-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000700000001960c-3.dat	upx
behavioral1/memory/2540-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/3032-20-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\meyotme.dll	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\meyotmek.exe	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\meyotmek.exe	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2540	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2540	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2540	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2540	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	30
PID 3032 wrote to memory of 1848	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	31
PID 3032 wrote to memory of 1848	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	31
PID 3032 wrote to memory of 1848	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	31
PID 3032 wrote to memory of 1848	3032	4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\meyotmek.exe
  C:\Windows\system32\meyotmek.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4bac5354361f6c12ff5dde774c41b40b_JaffaCakes118.exe.bat

Filesize
210B

MD5
e5c851cfb857d80f96eb4f09a0f5cb6d

SHA1
b94b9fd2d975f3ea6e4b25b058611e935d6e57ec

SHA256
fdf227cf0583d6cebeaf872107c19a5fe40759891badae615ad2c5c1d5230c07

SHA512
2c465ac51bac4eefa16db8a6684267216d4d73e20e21ccff3fd62434f05a8696ea315dd0a1fb4bc36a9a14d2d4efc61ebc06bc213e1f39282f2f40101af15dba

Download Submit
\Windows\SysWOW64\meyotmek.exe

Filesize
13KB

MD5
4bac5354361f6c12ff5dde774c41b40b

SHA1
1df8b0221aafe91c27e45b6b06aa365874ce3702

SHA256
97b6ffbc2665658cfed89db2f10ecdf92821220ffd956e815b698f9bf0e6b20d

SHA512
8628ec20bee151ac8abb1b51c5848b27a63dd952763f404637caf80fac766d6e37dda171a653b7686ab7deaa18464785ae004ea1b0d926009810e115d714acab

Download Submit
memory/2540-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3032-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3032-10-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/3032-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download