44df75c08baac168a76ba614ed5a98cae261b382722a2e4d2610cb8887e24d9e

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe
Size

32KB
MD5

4866c39dd9f4d81b26641718a8e719d9
SHA1

3cbd5d9c940278506a8603a8dca2fd16e0d9a59d
SHA256

44df75c08baac168a76ba614ed5a98cae261b382722a2e4d2610cb8887e24d9e
SHA512

735b6fc7baed5b0808d3bc77f5e7444901f906166bf5d9ad43bbeb2d182c73d395b0328bd3e1715a5043d30d8cba3313a13bd3d4e1f4e9ea1dd254f6cd69e6f5
SSDEEP

768:eaHWjiG7WC+d9CkrpcJEv7efBpcEKQVY5LRzpZ+Q:egUy1d9zmJ33cfQqlpZ+Q

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2540-3-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2540-36-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1932	2540	4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1932	2540	4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1932	2540	4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1932	2540	4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2844	1932	cmd.exe	32
PID 1932 wrote to memory of 2844	1932	cmd.exe	32
PID 1932 wrote to memory of 2844	1932	cmd.exe	32
PID 1932 wrote to memory of 2844	1932	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~AA05.bat "C:\Users\Admin\AppData\Local\Temp\4866c39dd9f4d81b26641718a8e719d9_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Portable.vbs"
    3⤵
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Portable.vbs

Filesize
204B

MD5
3a08fcf3ef7f0887c9ec00ebcf4c8115

SHA1
5d790ca5475342703bed42bcdf6b4693466fe6e5

SHA256
7e9e6374004943f7bcf4a3f71aa005e1507d8b46373ac57a2cb62d90e6d9c095

SHA512
a5f09e0a67adc2b98b03741fd8e85d04a4e106a0e5f45e840f6dca040fb32d2cf4f203a404bca0f0577fd8347a7fc87e63ff1172ca7807ef61275450f5980b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\~AA05.bat

Filesize
49B

MD5
b6b5d44a3b19ae57f72ba2c4989ce328

SHA1
2142dbc4664adee05468783371d200a095251d70

SHA256
c1e98110ee3dccea65f6aa56bf246457ed3c1141a64d0711e3ae7d5f36fa9e2f

SHA512
d6b05e9adaa889cbcd8534778e0406865e8d0afef3de2bd955f72357c5a0e013501cdd1b570c2d89c349b887a59317bfeda0a3aa3c97a908adc82b60e1c74cc2

Download Submit
memory/2540-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2540-36-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download