6acf491eaa8b1c011f1f064c97a0e442ea9dea3a15fd3a2cf8bd730dcddda253

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe
Size

604KB
MD5

47f31422fdb1a264a3f56b1dd3c34e01
SHA1

34ed4211de10edfdac21fae987f242285928cc87
SHA256

6acf491eaa8b1c011f1f064c97a0e442ea9dea3a15fd3a2cf8bd730dcddda253
SHA512

b400e58d458de7588dbe1ff87907765b8c1d7b8ebfe233b00a9d8c4ab13b3a06771b9bb0b7e9155560fb4e423c5d7a611dff775bdef8ca4db0794bdff34b3b29
SSDEEP

6144:6fGGBGgkDWNTTHKpedc2+WzddS1XAMi/vS7UugE:OBG8VHKcdc27zddS1XAMiqX

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral1/memory/2604-33-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral1/files/0x00080000000174a8-36.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2756	reg.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 2604 wrote to memory of 1780	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	31
PID 1780 wrote to memory of 2296	1780	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	32
PID 1780 wrote to memory of 2296	1780	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	32
PID 1780 wrote to memory of 2296	1780	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	32
PID 1780 wrote to memory of 2296	1780	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	32
PID 2604 wrote to memory of 2652	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	34
PID 2604 wrote to memory of 2652	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	34
PID 2604 wrote to memory of 2652	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	34
PID 2604 wrote to memory of 2652	2604	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	34
PID 2296 wrote to memory of 2756	2296	cmd.exe	36
PID 2296 wrote to memory of 2756	2296	cmd.exe	36
PID 2296 wrote to memory of 2756	2296	cmd.exe	36
PID 2296 wrote to memory of 2756	2296	cmd.exe	36
PID 2296 wrote to memory of 2676	2296	cmd.exe	37
PID 2296 wrote to memory of 2676	2296	cmd.exe	37
PID 2296 wrote to memory of 2676	2296	cmd.exe	37
PID 2296 wrote to memory of 2676	2296	cmd.exe	37
PID 2296 wrote to memory of 2676	2296	cmd.exe	37
PID 2296 wrote to memory of 2676	2296	cmd.exe	37
PID 2296 wrote to memory of 2676	2296	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:2756
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
305B

MD5
f04ad4ebb1f9e0beff1c4c0a4075dc49

SHA1
227fb3e1fa88bf17be8daec72722cb43ad2e777f

SHA256
380a3d89bb9cc2f58c406d92abb352a9219d235db50955b519a025d5b0e916c5

SHA512
ca4be0dfc969d97ef228859f0061b6f163d5ae34f331557c6b06d26ed4df4f36eea953866bf810fef9724ccbc91bbb843d980d28c5645f7f7982f078332a82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
604KB

MD5
4e7e6043663387fe144c23f4e8b9438d

SHA1
dcbf8e32ff57e09353c1a9a020935584a46016c4

SHA256
9f9a5afa750cfc00adeb4c9f8055190e2e55f447b3001698f78734859ffb381d

SHA512
05d4eeaccf5d996c0e63b819180b431b004f3a31ea168179b4bc94532f645efb5f13ac22a2348224a71909054b5c19aabf2f3070a0b6582230a7e36a9a76df45

Download Submit
memory/1780-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-12-0x0000000000510000-0x00000000005A9000-memory.dmp

Filesize
612KB

Download
memory/2604-0-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2604-33-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download