dad5d017f3a72dc264c43a7d94c169df78aa61c5a6004bfd2bd2372050a66a70

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 12:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe
Size

9KB
MD5

60924c42d795b48b53fbc54c6c9b5e74
SHA1

591fbebe2568fefb459de81302ef02d7cc14a5fd
SHA256

dad5d017f3a72dc264c43a7d94c169df78aa61c5a6004bfd2bd2372050a66a70
SHA512

0c4de86a39374704ebb9635de01e26a4c82cb0741c33276750cdc117a0b25a41e93e07b2928348debed9036cf33b0e56c38914b06444f0202952052501c8cb52
SSDEEP

192:/spObPAdOO9UWmOLI4joPr4Kvpm67dIWtWXTzZ:/ssb0OUUoLIAKr4KvpiB

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
3148	dualeyk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1084-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x0007000000023432-4.dat	upx
behavioral2/memory/3148-6-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1084-9-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dualeyk.exe	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dualeyk.exe	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dualey.dll	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 3148	1084	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe	85
PID 1084 wrote to memory of 3148	1084	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe	85
PID 1084 wrote to memory of 3148	1084	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe	85
PID 1084 wrote to memory of 4604	1084	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe	89
PID 1084 wrote to memory of 4604	1084	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe	89
PID 1084 wrote to memory of 4604	1084	60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\dualeyk.exe
  C:\Windows\system32\dualeyk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe.bat
  2⤵
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60924c42d795b48b53fbc54c6c9b5e74_JaffaCakes118.exe.bat

Filesize
210B

MD5
9a773741326d66a74e33f7e997159d18

SHA1
e414e73ca56b55fe7704c2d8c8b8b8b05009ae05

SHA256
908d84c18d0eeb16097d17441d5cdad9fe41e47aa6a343e7615187972372630c

SHA512
dddb2609deda7359c5bffd76d8cff127268d168611905b0bb75dc9a4942fe7557ca942546fbfd132ce9717db1981b5e60201c295a482e9434e8a0176f7c651fc

Download Submit
C:\Windows\SysWOW64\dualeyk.exe

Filesize
9KB

MD5
60924c42d795b48b53fbc54c6c9b5e74

SHA1
591fbebe2568fefb459de81302ef02d7cc14a5fd

SHA256
dad5d017f3a72dc264c43a7d94c169df78aa61c5a6004bfd2bd2372050a66a70

SHA512
0c4de86a39374704ebb9635de01e26a4c82cb0741c33276750cdc117a0b25a41e93e07b2928348debed9036cf33b0e56c38914b06444f0202952052501c8cb52

Download Submit
memory/1084-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1084-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3148-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download