d2b20c15e71a0bb47da0bd85061ad5b926768a8a798f9d3ed9b559e713a8f659

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5ec45d962b1cb2f7b474c9c72bfec3_JaffaCakes118.exe
Size

258KB
MD5

5f5ec45d962b1cb2f7b474c9c72bfec3
SHA1

8a8c35549d5c4e0048d67cb0a567962d36ebef17
SHA256

d2b20c15e71a0bb47da0bd85061ad5b926768a8a798f9d3ed9b559e713a8f659
SHA512

c34c93a214567db2c3ddb29b5e3346f2ad6e6ec953be4acc9e1ea4703fde2371b2381ea0ecfd65cb7b539f885c715bb05f355f1d7d885948a1657ff81e52eec4
SSDEEP

6144:xFeWbPHGA5WwZL407CNvQ8FybZgxOJdgjN1I9fQyVk45XKwkloS:TNGARLb8Fy8AgjNmm+k45XkloS

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	RUN.exe
2940	FK.EXE

Loads dropped DLL 3 IoCs

pid	Process
2092	cmd.exe
2780	RUN.exe
2780	RUN.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2224-45-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Driver404 = "C:\\DATA123\\FK.exe"	RUN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Driver405 = "C:\\DATA123\\SEND.exe"	RUN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FK.EXE = "C:\\DATA123\\FK.EXE"	FK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2940	FK.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE
2940	FK.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2092	2224	5f5ec45d962b1cb2f7b474c9c72bfec3_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2092	2224	5f5ec45d962b1cb2f7b474c9c72bfec3_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2092	2224	5f5ec45d962b1cb2f7b474c9c72bfec3_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2092	2224	5f5ec45d962b1cb2f7b474c9c72bfec3_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2780	2092	cmd.exe	31
PID 2092 wrote to memory of 2780	2092	cmd.exe	31
PID 2092 wrote to memory of 2780	2092	cmd.exe	31
PID 2092 wrote to memory of 2780	2092	cmd.exe	31
PID 2780 wrote to memory of 2940	2780	RUN.exe	32
PID 2780 wrote to memory of 2940	2780	RUN.exe	32
PID 2780 wrote to memory of 2940	2780	RUN.exe	32
PID 2780 wrote to memory of 2940	2780	RUN.exe	32

C:\Users\Admin\AppData\Local\Temp\5f5ec45d962b1cb2f7b474c9c72bfec3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f5ec45d962b1cb2f7b474c9c72bfec3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6854.tmp\AutoRun.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\RUN.exe
    RUN
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\DATA123\FK.EXE
      "C:\DATA123\FK.EXE"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6854.tmp\AutoRun.bat

Filesize
3B

MD5
855520d2a5b0b1a64b939e7e30889e2a

SHA1
ad173e04d8ecca3dab1c425136333c79954a3f23

SHA256
ddeaded8ad8e44933f39e672a8886d49ba10738d78bde119b2fe7c3c25fdc4d4

SHA512
4c1bceb6d065bd7d307c8f137f4eb78976fbdfa132e13c186daa29caae1b6f9e2750f58d0686d7b9f72de207e90ffe9c3bcadc7b026728acda7e9d2506e69476

Download Submit
C:\Users\Admin\AppData\Local\Temp\FK.exe

Filesize
233KB

MD5
5000b28e31a9ce91dc8cf55f9e962fe8

SHA1
a696e0f3ea6799e1a471462c2fbc531c141247af

SHA256
50eae8141dcc274548064ceca13a773ed6eea8e6d60dd9188503baa54e20bede

SHA512
86c425d7e8f527d039d43abeae1ebd1691a138a968626499fd0cd077b9a8fc4c95684e5f347f8806ca51b2d5f0747448a2d8190a9a65f0d2646320dbaa661824

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUN.exe

Filesize
20KB

MD5
78bb12eb10ff737d67bd30203a63dc05

SHA1
ae34050353b59b2205a9aa1c0eb3e08538d548aa

SHA256
a20c6d8b8ee6674d57ca6225b74760531c2ca29a72a30413248128b3c9abb39e

SHA512
a0a64f93ce2491cc30b16561bec66e1c19b65be8f13e8c3e3c2389bf37e2bb14416ae2da0d1281b04d59cba210f5485d5879f9088caed3cfade0f97288b92606

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEND.exe

Filesize
21KB

MD5
1eef58b7063655ce0a3bad9c1db4eade

SHA1
fb31a366cf2f382eca2fc6127a08596509839266

SHA256
0e24f5efab22dbe8fe84c22b6933b06bffa1ec978bdc79d7f250783e9023a9e6

SHA512
c92a07a4cf93529ad523c9154ce2ac26a96d096193632023b5fb09f86cf7be9663c5d4ece25b4331b7f9dea92f0e5be195d69d675a116d72289549558d3aa9f6

Download Submit
memory/2224-45-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2224-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-26-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/2780-27-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-38-0x00000000046E0000-0x000000000477E000-memory.dmp

Filesize
632KB

Download
memory/2780-40-0x00000000046E0000-0x000000000477E000-memory.dmp

Filesize
632KB

Download
memory/2780-43-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-25-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download
memory/2940-42-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2940-46-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2940-47-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2940-49-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads