ff7593abfbe85474a276d2cf28d60cd7fb514ee5c376336f942982147b48a802

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
Size

202KB
MD5

609196f1f60617d3d527d2673a9ed886
SHA1

f59ecb48afece41c70c4acaa94a019c3bbfe92f2
SHA256

ff7593abfbe85474a276d2cf28d60cd7fb514ee5c376336f942982147b48a802
SHA512

f9daddaecbfff4187516dc060ac24396c8996a46f330d3cf87721d958c9943424eaa08cc4eaa8c18c0db76b31377cababc7cfad24d6499fc52bcb0b086bc4dea
SSDEEP

6144:VNNSN06BtfEcThfUiAHSZLufLsdANIf+UWT:PIN0CpEcFfUvwifNI2U2

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2304	Eduria.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/files/0x0007000000015d93-11.dat	upx
behavioral1/memory/2304-13-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\3ETECE6I8G = "C:\\Windows\\Eduria.exe"	Eduria.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
File created	C:\Windows\Eduria.exe	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
File opened for modification	C:\Windows\Eduria.exe	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	Eduria.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe
2304	Eduria.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2112	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
2304	Eduria.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2112	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
2304	Eduria.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2304	2112	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2304	2112	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2304	2112	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2304	2112	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\Eduria.exe
  C:\Windows\Eduria.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of UnmapMainImage
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Eduria.exe

Filesize
202KB

MD5
609196f1f60617d3d527d2673a9ed886

SHA1
f59ecb48afece41c70c4acaa94a019c3bbfe92f2

SHA256
ff7593abfbe85474a276d2cf28d60cd7fb514ee5c376336f942982147b48a802

SHA512
f9daddaecbfff4187516dc060ac24396c8996a46f330d3cf87721d958c9943424eaa08cc4eaa8c18c0db76b31377cababc7cfad24d6499fc52bcb0b086bc4dea

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
70e08de43724b8d3ec28a1ab9e8c7f12

SHA1
f98c50eca8a5a4cc38840cab652f33ccb02e7a51

SHA256
6fd0314a3c962ece1a9df5f7e5f345f9b1ca4eed014cee3ff409c48aa1191013

SHA512
116b7f192efcc2df1c43344f43101cbf6bf65ab16a34b2e14ee53179726254c912d47b7792cf6d03851335b8e29ffeea5bcf824f807d53472273631a3ea6d961

Download Submit
memory/2112-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2112-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2112-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2112-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2112-12-0x0000000002250000-0x00000000022BF000-memory.dmp

Filesize
444KB

Download
memory/2112-94698-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2304-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-23844-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23845-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23843-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23842-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23841-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23840-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23839-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23838-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23837-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23835-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23834-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23833-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23831-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23829-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23830-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23828-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23826-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23824-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23823-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23822-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23821-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23819-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23818-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23817-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23816-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23814-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23813-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23812-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23795-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23793-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23836-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23832-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23827-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23825-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23820-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23815-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23810-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23805-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23798-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-23794-0x0000000001DB0000-0x0000000001EB0000-memory.dmp

Filesize
1024KB

Download
memory/2304-47226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download