b002d280111d888f55e86080450c1928e6081ab32cdb5ccd0df8859e4d496d72

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48a768eceba89e838e283d2bf46a15a7_JaffaCakes118.exe
Size

21KB
MD5

48a768eceba89e838e283d2bf46a15a7
SHA1

8e3bf102c20a5027e2fe35ea1e0499a1a6174b59
SHA256

b002d280111d888f55e86080450c1928e6081ab32cdb5ccd0df8859e4d496d72
SHA512

f9357337c52a64890b8a508955d6122491d2353df3eb415fdd0cfc0a12f3bab7774ed901be8ec3265e5d18971fe370349d873ccc02c7664b1b49ea3ddff51ee4
SSDEEP

384:RxXcx+KAysAufwPmH+myhwJLkHKs4jyz6usadoTet8LxjKhiMEalTe8KjtIWZ+V6:RxM4LcFKTmbZoTetYZAtlKjn3

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	hidedown.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0008000000018f90-4.dat	upx
behavioral1/memory/3056-5-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2224-7-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/3056-12-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/3056-34-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\wintemp.CHI	48a768eceba89e838e283d2bf46a15a7_JaffaCakes118.exe
File created	C:\Windows\help\hidedown.exe	48a768eceba89e838e283d2bf46a15a7_JaffaCakes118.exe
File created	C:\Windows\help\hidedll.dll	48a768eceba89e838e283d2bf46a15a7_JaffaCakes118.exe
File created	C:\Windows\help\wintemp.CHI	48a768eceba89e838e283d2bf46a15a7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe
3056	hidedown.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe
Token: SeDebugPrivilege	3056	hidedown.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9
PID 3056 wrote to memory of 584	3056	hidedown.exe	9

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\48a768eceba89e838e283d2bf46a15a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48a768eceba89e838e283d2bf46a15a7_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:2224

C:\Windows\help\hidedown.exe
C:\Windows\help/hidedown.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\hidedown.exe

Filesize
21KB

MD5
48a768eceba89e838e283d2bf46a15a7

SHA1
8e3bf102c20a5027e2fe35ea1e0499a1a6174b59

SHA256
b002d280111d888f55e86080450c1928e6081ab32cdb5ccd0df8859e4d496d72

SHA512
f9357337c52a64890b8a508955d6122491d2353df3eb415fdd0cfc0a12f3bab7774ed901be8ec3265e5d18971fe370349d873ccc02c7664b1b49ea3ddff51ee4

Download Submit
memory/584-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2224-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2224-7-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3056-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3056-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3056-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download