07e4352baf0b7a5e30cb1b22170e35f248ed4669ef424bf894b5c1d51805fadf

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d4c0d6fcaa833ea8c8ab828509f0ccf_JaffaCakes118.exe
Size

25KB
MD5

5d4c0d6fcaa833ea8c8ab828509f0ccf
SHA1

1a76980ab54374b700ef09498a7fe36e439e0455
SHA256

07e4352baf0b7a5e30cb1b22170e35f248ed4669ef424bf894b5c1d51805fadf
SHA512

f0b1c57a0ca37641568567110bb304272ec342a0c87bfebb9751dad35af789c35524675d19cfd0e7f125b8feb51313396be9c44234d9045c3f6f554928275e65
SSDEEP

768:LoaI/JOzoUPKFevLvP4thbZXOnbFVMwV:LoakJOzo2KFKvwV4bFyY

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hîsts	WScript.exe
File opened for modification	C:\Windows\system32\drivers\etc\hîsts	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeUpdater.lnk	WScript.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1252-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2404	1252	5d4c0d6fcaa833ea8c8ab828509f0ccf_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2404	1252	5d4c0d6fcaa833ea8c8ab828509f0ccf_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2404	1252	5d4c0d6fcaa833ea8c8ab828509f0ccf_JaffaCakes118.exe	30
PID 1252 wrote to memory of 2404	1252	5d4c0d6fcaa833ea8c8ab828509f0ccf_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\5d4c0d6fcaa833ea8c8ab828509f0ccf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d4c0d6fcaa833ea8c8ab828509f0ccf_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ex.vbs"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ex.vbs

Filesize
911B

MD5
b49065b2e584432bef9a06ab430cb27b

SHA1
10290eba90ae147748b3857343572d495384f099

SHA256
45e78a6c3c983a500561b726112bce9eb63eae5eec104c6af1edc63a159a8c4f

SHA512
f4174d06c499ee3c32f342560c1c6b020b75782316f532992d1d870787610390f10929ad3126c4ecc64caff3d1b5156354a6ad9863ee90ec646ce67ce23c537d

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1

Filesize
138KB

MD5
4c13c86a953569ec075cc2d3c300793e

SHA1
c0f16a5cac3f6c684de23dad0666d65edca93e3b

SHA256
85091f520ee6dc78f9622e804252930fe49fcf47fa72f961249d3033a0a183a7

SHA512
0d6338c6ed9deb2c7487113340fdec4b18833d823fad71733e681438a23eb15858c056a853e39efd06897b0b660be56a46209d71fb2ff75c2da3737f87081b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2

Filesize
769B

MD5
45954f9078276becd94b3e723803279f

SHA1
48fe4b9e46f989e26263e420041f3a9d1a1dfeb7

SHA256
86ab20e8a8167fbb13f9fe5456fa9bd7d72315bb342c184d2f38b64aaef102d1

SHA512
a1df12ed9975dfe5ec3d1b2e337e8c13f954dd6497541d2b388764036ddfae84f3ab2634996da2ae0c697e8e7728db73a847064ac94575d4c203cde635ad23c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1.bat

Filesize
521B

MD5
dc6512b1a47158404003b17dfd278661

SHA1
ac8a37cd4ca0a7be24f5d9d55b67f365f9f2b05f

SHA256
a7e05f7402995dd2495fd50ef99c61a19ff9226ae366d66add5f6f2d3424edf5

SHA512
b6fcf7f45b2949187113c57d05192b95af4e3e69056e478d513db179de3ca1a8623442faa102cbf09b01d9e6b2679fae675fab1c7c8fd029101dbcb104faeaad

Download Submit
memory/1252-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1252-11-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1252-10-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1252-1072-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download