3d20069b5c91736958b89ceb5665e9b83d9d3ac7dbdac058a65feabe3dada5c3

Analysis

max time kernel
140s
max time network
128s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe
Size

381KB
MD5

5a53238d3a09dabca17ac487c55bde58
SHA1

058bde3a6ab6f86eb8ed334d7f43ee17e228ae8f
SHA256

3d20069b5c91736958b89ceb5665e9b83d9d3ac7dbdac058a65feabe3dada5c3
SHA512

3ec9d398d8544b4b53e93c9a9fc950a9cec506166ba648613e9ee01bb7792fe739f04766e38e7fe3a98248644a50ff7bdd30efa8d981f61aaf76d2493a2bcb03
SSDEEP

6144:VQq5+SdzYj64bj9pvMGy3QvB5H1Ut/GqsnMmAvg7CYLOa4gXBHYbktyimQQNOfnq:BY6y9p052B5VUtDcMmAvcC/gXBH6ktyh

Score

10^/10

evasion execution upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2796	±¸ÓÃ.exe
2012	F11Õ³Ìù.exe

Loads dropped DLL 11 IoCs

pid	Process
1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe
1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe
1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe
1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe
2796	±¸ÓÃ.exe
2796	±¸ÓÃ.exe
2796	±¸ÓÃ.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2912	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012119-3.dat	upx
behavioral1/memory/2796-27-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2796-37-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YUksuser.dll	±¸ÓÃ.exe
File opened for modification	C:\Windows\SysWOW64\YUksuser.dll	±¸ÓÃ.exe
File created	C:\Windows\SysWOW64\ksuser.dll	±¸ÓÃ.exe
File created	C:\Windows\SysWOW64\dllcache\ksuser.dll	±¸ÓÃ.exe
File created	C:\Windows\SysWOW64\YUmidimap.dll	±¸ÓÃ.exe
File created	C:\Windows\SysWOW64\midimap.dll	±¸ÓÃ.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	±¸ÓÃ.exe
File created	C:\Windows\SysWOW64\sysapp6.dll	±¸ÓÃ.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2724	sc.exe
2668	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2796	±¸ÓÃ.exe
2796	±¸ÓÃ.exe
2796	±¸ÓÃ.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe
2012	F11Õ³Ìù.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	±¸ÓÃ.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2796	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2796	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2796	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2796	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2796	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2796	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2796	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	30
PID 1656 wrote to memory of 2012	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2012	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2012	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2012	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2012	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2012	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2012	1656	5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2660	2796	±¸ÓÃ.exe	32
PID 2796 wrote to memory of 2660	2796	±¸ÓÃ.exe	32
PID 2796 wrote to memory of 2660	2796	±¸ÓÃ.exe	32
PID 2796 wrote to memory of 2660	2796	±¸ÓÃ.exe	32
PID 2796 wrote to memory of 2660	2796	±¸ÓÃ.exe	32
PID 2796 wrote to memory of 2660	2796	±¸ÓÃ.exe	32
PID 2796 wrote to memory of 2660	2796	±¸ÓÃ.exe	32
PID 2796 wrote to memory of 2668	2796	±¸ÓÃ.exe	33
PID 2796 wrote to memory of 2668	2796	±¸ÓÃ.exe	33
PID 2796 wrote to memory of 2668	2796	±¸ÓÃ.exe	33
PID 2796 wrote to memory of 2668	2796	±¸ÓÃ.exe	33
PID 2796 wrote to memory of 2668	2796	±¸ÓÃ.exe	33
PID 2796 wrote to memory of 2668	2796	±¸ÓÃ.exe	33
PID 2796 wrote to memory of 2668	2796	±¸ÓÃ.exe	33
PID 2796 wrote to memory of 2724	2796	±¸ÓÃ.exe	35
PID 2796 wrote to memory of 2724	2796	±¸ÓÃ.exe	35
PID 2796 wrote to memory of 2724	2796	±¸ÓÃ.exe	35
PID 2796 wrote to memory of 2724	2796	±¸ÓÃ.exe	35
PID 2796 wrote to memory of 2724	2796	±¸ÓÃ.exe	35
PID 2796 wrote to memory of 2724	2796	±¸ÓÃ.exe	35
PID 2796 wrote to memory of 2724	2796	±¸ÓÃ.exe	35
PID 2796 wrote to memory of 2912	2796	±¸ÓÃ.exe	38
PID 2796 wrote to memory of 2912	2796	±¸ÓÃ.exe	38
PID 2796 wrote to memory of 2912	2796	±¸ÓÃ.exe	38
PID 2796 wrote to memory of 2912	2796	±¸ÓÃ.exe	38
PID 2796 wrote to memory of 2912	2796	±¸ÓÃ.exe	38
PID 2796 wrote to memory of 2912	2796	±¸ÓÃ.exe	38
PID 2796 wrote to memory of 2912	2796	±¸ÓÃ.exe	38
PID 2660 wrote to memory of 2552	2660	net.exe	39
PID 2660 wrote to memory of 2552	2660	net.exe	39
PID 2660 wrote to memory of 2552	2660	net.exe	39
PID 2660 wrote to memory of 2552	2660	net.exe	39
PID 2660 wrote to memory of 2552	2660	net.exe	39
PID 2660 wrote to memory of 2552	2660	net.exe	39
PID 2660 wrote to memory of 2552	2660	net.exe	39

C:\Users\Admin\AppData\Local\Temp\5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a53238d3a09dabca17ac487c55bde58_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\±¸ÓÃ.exe
  "C:\Users\Admin\AppData\Local\Temp\±¸ÓÃ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\net.exe
    net stop cryptsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop cryptsvc
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\sc.exe
    sc config cryptsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2668
- - C:\Windows\SysWOW64\sc.exe
    sc delete cryptsvc
    3⤵
    - Launches sc.exe
    PID:2724
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Users\Admin\AppData\Local\Temp\1721360446.dat, ServerMain c:\users\admin\appdata\local\temp\±¸ÓÃ.exe
    3⤵
    - Loads dropped DLL
    PID:2912
- C:\Users\Admin\AppData\Local\Temp\F11Õ³Ìù.exe
  "C:\Users\Admin\AppData\Local\Temp\F11Õ³Ìù.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1721360446.dat

Filesize
32KB

MD5
31002881fa8a2794e7bb2639540a9174

SHA1
cdd1f042b2cb44b81e83022fefdead9b7b455991

SHA256
92fe9ad554a6add3eb749dc5c786f0ca3c4539d4c3790d09a05bb39116875aad

SHA512
239d6b3131a46664ff8c5bbd1968f4fc5dbe348984ad6179668c508f9e6f64a2a51d87c90573196ff270fecc9f4408c9513fdcf057b29b56d9a19e69a1447528

Download Submit
\Users\Admin\AppData\Local\Temp\F11Õ³Ìù.exe

Filesize
299KB

MD5
02fa04aa1a0f3241cdeb64a3740e0d68

SHA1
31d2a8d4450465f96f339442dc6e9c0fba4ffd79

SHA256
74781a2f6a179ada1b3861c16fe67f3c8dbbd8daa853ec53cb33667655305c95

SHA512
4be1021b71a94d7cfc79cd83bbff109fb1fcc11e824a9da219ef9a044ca6e6c8463d41770999ec0f3644140b7657393864efa023029d2dc1f97d32477e844ce3

Download Submit
\Users\Admin\AppData\Local\Temp\±¸ÓÃ.exe

Filesize
32KB

MD5
109d859e24469aa77f926c970c948e06

SHA1
baa8b7d507a4eab3b3c8f21eadeb5dd29c6c4128

SHA256
037f7d588ea011445e621ec08b7c9ea38a8f554ae5d015feca21f291bcbef9ec

SHA512
411603a7ed1b129eda5a72f22019bf62f8ba32c5e4b80e7d3663e583b4f8f343bb7334e47dc89b632cb7daebf49abd3b8cf4fbf0c5e6076fc43aea2504d17851

Download Submit
memory/2012-40-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2796-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-26-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2796-37-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download