4b70bec5195457852e4ab6cb9ca2bea892c438bb224c790636009dc030b63f21

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 00:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
Size

455KB
MD5

5e52b992e2e52d2ce566b622844c8f1f
SHA1

4b6223942d88beb49554e84ae435d198d3b71254
SHA256

4b70bec5195457852e4ab6cb9ca2bea892c438bb224c790636009dc030b63f21
SHA512

928bd16bc5431265144ad21cc537153fc20259da2a4d21dd517c1eb6e99863527f850dc67d65a96a677f73fcdd64f67a9679958da48d86c62fa6898d7d85e56a
SSDEEP

12288:dDHGzqlj9PB2SsoTdrmz4mB6pdGWLUx0JO4efX0orehkMd:5XJPASsoTNnmArJUx8wNehkM

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1256-0-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1256-7-0x0000000000400000-0x0000000000481000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 3716	1256	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
3716	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3716	1256	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe	84
PID 1256 wrote to memory of 3716	1256	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe	84
PID 1256 wrote to memory of 3716	1256	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe	84
PID 1256 wrote to memory of 3716	1256	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe	84
PID 1256 wrote to memory of 3716	1256	5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5e52b992e2e52d2ce566b622844c8f1f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pts596A.tmp

Filesize
88KB

MD5
d8c01734181e168944a6c614088da0bd

SHA1
1afed36ef73aa0b72e845a665865c1dfd58468cb

SHA256
3307b5ebb6f773be501fe166c9b2e56f0c4fd16209fbc4ab1a8db5f4305f09ec

SHA512
b56f68830b976f0197b9f630af48c03f9f6d587aa3f76279cca2b8e71ba3776b28f72794b35e85f3f0ed6cd8e42c5a8fda9edb9a4bc3c4e817edded50fe5a68c

Download Submit
memory/1256-7-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1256-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3716-12-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-5-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-4-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-1-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-8-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-3-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-13-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-21-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-29-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-30-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-32-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3716-36-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download