f3c621fc1e9f259419c615364e9125f14087c4575e22dce3983655be62f6facc

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 18:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe
Size

13KB
MD5

60dcb015a2d1b646847326f40d79ac91
SHA1

2f6fb1347382dfc31602f777738df2f93f72d406
SHA256

f3c621fc1e9f259419c615364e9125f14087c4575e22dce3983655be62f6facc
SHA512

63e532095cbe4affc7d1c0d87c588df5d705b05ed16e981103e9bad3983d52f8931bd3301b0a89fe46ea1347c690c1cba6b3c65d45a81479a534738ece14e45a
SSDEEP

192:J0EfcoW8r4BI/zjvJHkndHmDA9y3HlSPHqKfFoKJ77wc5l1VV/1GtwmSyql:J0EEGeI/zjv5Sw89j/97wCVVtcH2

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2912	woodkenk.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe
2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000016d29-3.dat	upx
behavioral1/memory/2396-4-0x00000000002B0000-0x00000000002BF000-memory.dmp	upx
behavioral1/memory/2912-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2396-13-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2912-14-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\woodken.dll	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\woodkenk.exe	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\woodkenk.exe	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2912	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2912	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2912	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2912	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2348	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2348	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2348	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2348	2396	60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\woodkenk.exe
  C:\Windows\system32\woodkenk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60dcb015a2d1b646847326f40d79ac91_JaffaCakes118.exe.bat

Filesize
210B

MD5
64b11396c4c6660787300fd71f08cf5f

SHA1
6f2be1f1d4b0e7e2b582f1c1854ecc6d36954487

SHA256
e88d35a336bf6b545cc2abdcc79b19033dfb43bc45071700e622bc042a07fb2d

SHA512
72cba938f43da532ccb85e6d129968fa57a3424ba5f9104d2868aec253257cdce229fbd615edae0ca57edb37805a0a41ea02bbde5a6207bb355491a8f4a61b7e

Download Submit
\Windows\SysWOW64\woodkenk.exe

Filesize
13KB

MD5
60dcb015a2d1b646847326f40d79ac91

SHA1
2f6fb1347382dfc31602f777738df2f93f72d406

SHA256
f3c621fc1e9f259419c615364e9125f14087c4575e22dce3983655be62f6facc

SHA512
63e532095cbe4affc7d1c0d87c588df5d705b05ed16e981103e9bad3983d52f8931bd3301b0a89fe46ea1347c690c1cba6b3c65d45a81479a534738ece14e45a

Download Submit
memory/2396-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2396-4-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2396-8-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2396-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2396-17-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2912-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2912-14-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download