ff7593abfbe85474a276d2cf28d60cd7fb514ee5c376336f942982147b48a802

Analysis

max time kernel
139s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
Size

202KB
MD5

609196f1f60617d3d527d2673a9ed886
SHA1

f59ecb48afece41c70c4acaa94a019c3bbfe92f2
SHA256

ff7593abfbe85474a276d2cf28d60cd7fb514ee5c376336f942982147b48a802
SHA512

f9daddaecbfff4187516dc060ac24396c8996a46f330d3cf87721d958c9943424eaa08cc4eaa8c18c0db76b31377cababc7cfad24d6499fc52bcb0b086bc4dea
SSDEEP

6144:VNNSN06BtfEcThfUiAHSZLufLsdANIf+UWT:PIN0CpEcFfUvwifNI2U2

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2336	Kqecoa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3212-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/files/0x0008000000023452-11.dat	upx
behavioral2/memory/2336-14-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Kqecoa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
File created	C:\Windows\Kqecoa.exe	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
File opened for modification	C:\Windows\Kqecoa.exe	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Kqecoa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
37140	2336	WerFault.exe	87

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main	Kqecoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe
2336	Kqecoa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3212	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
2336	Kqecoa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2336	3212	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe	87
PID 3212 wrote to memory of 2336	3212	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe	87
PID 3212 wrote to memory of 2336	3212	609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\609196f1f60617d3d527d2673a9ed886_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\Kqecoa.exe
  C:\Windows\Kqecoa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 900
    3⤵
    - Program crash
    PID:37140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2336 -ip 2336
1⤵
PID:37100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Kqecoa.exe

Filesize
202KB

MD5
609196f1f60617d3d527d2673a9ed886

SHA1
f59ecb48afece41c70c4acaa94a019c3bbfe92f2

SHA256
ff7593abfbe85474a276d2cf28d60cd7fb514ee5c376336f942982147b48a802

SHA512
f9daddaecbfff4187516dc060ac24396c8996a46f330d3cf87721d958c9943424eaa08cc4eaa8c18c0db76b31377cababc7cfad24d6499fc52bcb0b086bc4dea

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
381d73acb1b78743979fc3e2a023fb49

SHA1
65cbb32f0b2ec8728d9f7c676a7a461181d56c55

SHA256
41d5f6969e99132cd7536db56611facb18aacdb3351fac410b7d8768a927ba57

SHA512
88a83387848b1c2265f611a7c86916e8786bbafe54cdf741e18c34d05e33aebd3984cc715de56e7134618c6b155645f76490750b65842ba9a9d39f789545fb90

Download Submit
memory/2336-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2336-18-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2336-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-122227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3212-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3212-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3212-2-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3212-3-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3212-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3212-34338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download