6acf491eaa8b1c011f1f064c97a0e442ea9dea3a15fd3a2cf8bd730dcddda253

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe
Size

604KB
MD5

47f31422fdb1a264a3f56b1dd3c34e01
SHA1

34ed4211de10edfdac21fae987f242285928cc87
SHA256

6acf491eaa8b1c011f1f064c97a0e442ea9dea3a15fd3a2cf8bd730dcddda253
SHA512

b400e58d458de7588dbe1ff87907765b8c1d7b8ebfe233b00a9d8c4ab13b3a06771b9bb0b7e9155560fb4e423c5d7a611dff775bdef8ca4db0794bdff34b3b29
SSDEEP

6144:6fGGBGgkDWNTTHKpedc2+WzddS1XAMi/vS7UugE:OBG8VHKcdc27zddS1XAMiqX

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4772-0-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/4772-13-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/files/0x0008000000023428-16.dat	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4772 set thread context of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3924	reg.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83
PID 4772 wrote to memory of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83
PID 4772 wrote to memory of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83
PID 4772 wrote to memory of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83
PID 4772 wrote to memory of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83
PID 4772 wrote to memory of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83
PID 4772 wrote to memory of 5016	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	83
PID 5016 wrote to memory of 2780	5016	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	84
PID 5016 wrote to memory of 2780	5016	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	84
PID 5016 wrote to memory of 2780	5016	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	84
PID 4772 wrote to memory of 544	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	86
PID 4772 wrote to memory of 544	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	86
PID 4772 wrote to memory of 544	4772	47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe	86
PID 2780 wrote to memory of 3924	2780	cmd.exe	88
PID 2780 wrote to memory of 3924	2780	cmd.exe	88
PID 2780 wrote to memory of 3924	2780	cmd.exe	88
PID 2780 wrote to memory of 2856	2780	cmd.exe	89
PID 2780 wrote to memory of 2856	2780	cmd.exe	89
PID 2780 wrote to memory of 2856	2780	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\47f31422fdb1a264a3f56b1dd3c34e01_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Start.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f
      4⤵
      Modifies registry key
      PID:3924
  - - C:\Windows\SysWOW64\gpupdate.exe
      gpupdate /force
      4⤵
      PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat
  2⤵
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
200B

MD5
9cedeb0b293d2b5491225ef3d9eb2a8b

SHA1
b607ef9bd319b6ec696c8dab8a314998d133298b

SHA256
3fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08

SHA512
ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf.bat

Filesize
305B

MD5
f04ad4ebb1f9e0beff1c4c0a4075dc49

SHA1
227fb3e1fa88bf17be8daec72722cb43ad2e777f

SHA256
380a3d89bb9cc2f58c406d92abb352a9219d235db50955b519a025d5b0e916c5

SHA512
ca4be0dfc969d97ef228859f0061b6f163d5ae34f331557c6b06d26ed4df4f36eea953866bf810fef9724ccbc91bbb843d980d28c5645f7f7982f078332a82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnduf~.tmp

Filesize
604KB

MD5
c87585d6d343acad4d0619e062430a15

SHA1
93791bae584f1d5605661329e499cfb18a8fb3c2

SHA256
e56f396833ee029348d3b0df5fafd23d61e9f270f4548ff149467642c50ef586

SHA512
9300362db40ee38675eefe55152722218f1c6eb511438b832ae05169667fc0e49e127a2a14002fe9a2897914a09a7e8aed88fc9ee80fa5d705ea3e5218167d01

Download Submit
memory/4772-0-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4772-13-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/5016-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download