17e20d4fe02cea1691fe644e059258b5c94c3a716f49a633e1812425f8a7f6ad

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe
Size

5.2MB
MD5

4816133e9df72e2024c815e2f8dad783
SHA1

07e8409059eaf25168e1de54aaaa76d059146cd5
SHA256

17e20d4fe02cea1691fe644e059258b5c94c3a716f49a633e1812425f8a7f6ad
SHA512

c08907b0ebaeb6274220312f0723a248d426528b4bebe3e0980fe31d72418bb331a2d54e77f09827a84621db8070fd5a93cfe4b476d5c5a9334185140d7cc844
SSDEEP

98304:ZiaRRoHX95ztsv0bQU6PxdRLS9TkabKaVJQIbGWOCSDJIrGpFHuaqiNfgil3nB1O:IBtE0f6PxdRLSVXFJ/yLDiwLTFVnB16L

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2492	7za.exe
2068	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2372-61-0x0000000000400000-0x000000000044E000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000198f1-72.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	Setup.exe
2068	Setup.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2716	2372	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2716	2372	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2716	2372	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2716	2372	4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe	30
PID 2716 wrote to memory of 3024	2716	WScript.exe	31
PID 2716 wrote to memory of 3024	2716	WScript.exe	31
PID 2716 wrote to memory of 3024	2716	WScript.exe	31
PID 2716 wrote to memory of 3024	2716	WScript.exe	31
PID 3024 wrote to memory of 2492	3024	cmd.exe	33
PID 3024 wrote to memory of 2492	3024	cmd.exe	33
PID 3024 wrote to memory of 2492	3024	cmd.exe	33
PID 3024 wrote to memory of 2492	3024	cmd.exe	33
PID 3024 wrote to memory of 2068	3024	cmd.exe	34
PID 3024 wrote to memory of 2068	3024	cmd.exe	34
PID 3024 wrote to memory of 2068	3024	cmd.exe	34
PID 3024 wrote to memory of 2068	3024	cmd.exe	34
PID 3024 wrote to memory of 2068	3024	cmd.exe	34
PID 3024 wrote to memory of 2068	3024	cmd.exe	34
PID 3024 wrote to memory of 2068	3024	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4816133e9df72e2024c815e2f8dad783_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\Pack.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
80B

MD5
2ce6eef84b7f306858c23000f017e2a0

SHA1
1767837936825158d0a5faf707d130fcb3fe52b2

SHA256
6d7b5f31415ea7796876bee5350704fe556201800fdcb143ebfcd4bd450e9d4a

SHA512
47d989c8e394b0486841c056ab749a30351556773abe9e6d5f7c56db9d74a2cd9dc60c6d95ec75b6e4dde1887ac46aa044d346c5839d434d5174ba9a0cd50304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMAGESWP.jpg

Filesize
79KB

MD5
40b32c9b404b1f1ea3f6f069a5361096

SHA1
080a1b8cfb754cda674de6812bcaacf9a2f92b38

SHA256
f54c0d236f13162ba256ed9c56a78af5f1d73ae99310998c3cc762e46de77252

SHA512
a94590a002de980f6219b9ff1928b1dc831fa79414de2bab83c7fe32461d658d1ed129127f7587f6dae835f7dea4d2d101b75e109f8869aa6fa29dd7e816a253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pack.7z

Filesize
4.8MB

MD5
9c7ff573ed42e92129d61b8da152615e

SHA1
24e2656457a012860195c936e3ed770d22b7ab48

SHA256
b619c2a66d09a236c71b332e50c13e41f94703a9dbb4b8d1b0eb4da12264464e

SHA512
1a0338bbf6cec9ca9e24cb5eb72866abfd39c8b8a6aea12edb0fe7f70e0a7fd6bc0e9b2054700da2a99c541bae7e4fb06596dbbb9f24a78db7f0052b05b772f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
798KB

MD5
a34de14846b4b412f99c5ad92c54aea6

SHA1
f5aad68846712dfd582ae9bcebc98cd2885886af

SHA256
52a4cd1650e2c29ab5fc8a72ab68b65d8302671bde2f32099bf581490d9089b1

SHA512
e2858af59016f85f15f21a5ddc699dd2f9b04e720e2538943c38605fe017c8bcc47e990696ac03cdfd0f68901811c351e700a8700cc9a5ecac3e15b00b24e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bandeaux.jpg

Filesize
26KB

MD5
9c1b420f4772b9f7d7b5ff01e174dc29

SHA1
274df92ece2c49591147d70744c4874a436b07f7

SHA256
01c7dfe7007c861325884737577a085bd805bc7a16d881af97c30650634d0d8e

SHA512
82fc8e8ec34d5f68cd0d5a9e55e63a12114924e3a784d54323fee5932da4fa428e54ee51f26c80d8326f4ed3409770d35fcf9e148012c52b421e02f1b1b8b215

Download Submit
C:\Users\Admin\AppData\Local\Temp\btn_jaccepte.jpg

Filesize
17KB

MD5
a9661de329d4748f47e64d58dddcc86b

SHA1
d47c6ffd69f3c9dd9f30e83a9657b9017bb274ac

SHA256
0aab285d81bc0345da2a447fedb5c653815e20ab983b2a4f23c5fbdb29247c5d

SHA512
0e662132385db9fe4e8a4d825085bc08dcb43f6c6b284eb40ea6320d024c769ddacd58dd51f63e6d8c7b0a04a08befb7b57e768145cffdfabbb9d3de6c92b29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
376B

MD5
8e43dcf6964a7c171a6d78722ea4b790

SHA1
140bfed4b00aa4770089061413e89a6343957603

SHA256
49a49886a4dcf7aa2356a818e8ee52d59b44ea372ae3645b38e68c3b22aaf677

SHA512
d5967b3e26092caa10d32e1ba602eef505980b0e0f9de3e4860e01872ac3bbcf26ce07f9670289f7b72196e3007862872b6a7b4b634f41a27c0628232c9b06b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eula.html

Filesize
17KB

MD5
ed16b03674655fc4d3fa431406ac9901

SHA1
15f995504fa56b3cc2413325cc43c2f3b2d8b843

SHA256
cd9dceabf43d32edbbdf5f4bef952020a2eea737d5beb7bf16b677078d34e2c9

SHA512
f8a000391751c29435370fc69d1f22f7b0f61da2944eacbb3e86956e81e21aa071020b85eb4fc247603add440848e751433ebc419457aa19532627948c91099d

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
465KB

MD5
885e9eb42889ca547f4e3515dcde5d3d

SHA1
d4206fc233e3a708b54439e1c2bc12b48a755ed1

SHA256
b3a70d388488c34dd5c767692eccc9effed36b8e7c1ee03ace1bd27123a2e6d6

SHA512
3e5ddfc47b9f28115385ef4d311d8c929be7daa6d9c22e1c57449488cd434f69695726bd6008d88fd0d570f38105c4b97b311fbd26d5ad79e1539e8d220a385b

Download Submit
memory/2372-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2372-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download