23fc4a6142a14edb2d697477ee3a57d9dc4a60b694ad331db3e36fd4984c3315

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe
Size

2.0MB
MD5

5af24cd2eb58fa8fad973af67352fa34
SHA1

f311e78f5f90cf87d9a75e24391507ee607b0eca
SHA256

23fc4a6142a14edb2d697477ee3a57d9dc4a60b694ad331db3e36fd4984c3315
SHA512

9bb5a7873279cbcc5afd94b577f14f60487b4b7e07e4f523c909e8fe9b09507143441e98f88d1da0ffca18bed350029f0bcc5ee62adbf44acc45349730155706
SSDEEP

24576:h8/Fs0QTdbQIK6sTjp4JnfqFh+l3BAECBUv/vf0LmnXFzFHr:humZYqi0BAJUwMh9

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe
2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-0-0x0000000000400000-0x000000000054A000-memory.dmp	upx
behavioral1/files/0x000700000001211b-8.dat	upx
behavioral1/memory/2672-12-0x0000000000400000-0x000000000054A000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe
2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe
2672	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2672	2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2672	2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2672	2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2672	2416	5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2580	2672	explorer.exe	31
PID 2672 wrote to memory of 2580	2672	explorer.exe	31
PID 2672 wrote to memory of 2580	2672	explorer.exe	31
PID 2672 wrote to memory of 2580	2672	explorer.exe	31

C:\Users\Admin\AppData\Local\Temp\5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5af24cd2eb58fa8fad973af67352fa34_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --ch=1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\29183.bat"
    3⤵
    PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29183.bat

Filesize
183B

MD5
ffbf6f21f13e82ac16ef78cac9d0d5bf

SHA1
2208d9bf0278159d306ad2d87bcdf68342183ba3

SHA256
dace2c22914f8353b0f39eec1906305c3fc7952aa161b3133b4b8b12f73a3eb5

SHA512
130f454126aa46b6527a54db524193731b6efa422dff8f208dcca425a17aec4d38bb6cc534f1a25d1ce6038ab07925d20648c609ee4701db6c6fe6ed80b969df

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
2.0MB

MD5
5af24cd2eb58fa8fad973af67352fa34

SHA1
f311e78f5f90cf87d9a75e24391507ee607b0eca

SHA256
23fc4a6142a14edb2d697477ee3a57d9dc4a60b694ad331db3e36fd4984c3315

SHA512
9bb5a7873279cbcc5afd94b577f14f60487b4b7e07e4f523c909e8fe9b09507143441e98f88d1da0ffca18bed350029f0bcc5ee62adbf44acc45349730155706

Download Submit
memory/2416-0-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2416-1-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2416-10-0x0000000002130000-0x000000000227A000-memory.dmp

Filesize
1.3MB

Download
memory/2416-11-0x0000000002130000-0x000000000227A000-memory.dmp

Filesize
1.3MB

Download
memory/2416-14-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2416-30-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2672-12-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2672-13-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2672-15-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2672-28-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download