5f9ed063bdf77fb7eb20387fa715fd2ff135f58fdf81c29a1d132f9110da78a7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6163c1f1f0592371f237aa4c8beea275_JaffaCakes118.exe
Size

17KB
MD5

6163c1f1f0592371f237aa4c8beea275
SHA1

f48fb88fc63721e587693a2c25580ef2f9f94bc2
SHA256

5f9ed063bdf77fb7eb20387fa715fd2ff135f58fdf81c29a1d132f9110da78a7
SHA512

43f408045fa615befa2a0ec0ae5d4d80755994a43403e790d71e0cacda871c6459450e324aa71ef437ab62c4b34cf13abf298ef911eb7874b2a89d5d95839a6d
SSDEEP

384:f8N9qwONi/yub707G8gmExBS+rGGSZcdX1Hbc9vfyGwZo:UNQ6zb7b8rEUZwlHbc9vKBu

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4788	test.exe
1240	test.exe
3656	test.exe
5464	test.exe
5516	test.exe
4232	test.exe
3540	test.exe
4608	test.exe
2432	test.exe
748	test.exe
5104	test.exe
3648	test.exe
4360	test.exe
4332	test.exe
5344	test.exe
5520	test.exe
3084	test.exe
3416	test.exe
5220	test.exe
540	test.exe
3412	test.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x0007000000023476-5.dat	upx
behavioral2/memory/4788-8-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3656-19-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4788-21-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1240-23-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1372-24-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5464-29-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5516-34-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4232-37-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4232-43-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3540-45-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4608-47-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4608-49-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4608-55-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2432-57-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/748-60-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/748-67-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5104-69-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3648-72-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3648-78-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4360-80-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4332-83-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4332-90-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5344-92-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5520-95-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5520-102-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3084-104-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3416-107-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3416-113-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/5220-115-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/540-118-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/540-125-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3412-127-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File opened for modification	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe
File created	C:\Windows\SysWOW64\new.txt	test.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
5108	5516	WerFault.exe	98
3680	3540	WerFault.exe	106
780	2432	WerFault.exe	114
1628	5104	WerFault.exe	118
4768	4360	WerFault.exe	123
6084	5344	WerFault.exe	127
5996	3084	WerFault.exe	140
2076	5220	WerFault.exe	144
2892	3412	WerFault.exe	150

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1240	4788	test.exe	85
PID 4788 wrote to memory of 1240	4788	test.exe	85
PID 4788 wrote to memory of 1240	4788	test.exe	85
PID 1372 wrote to memory of 3656	1372	6163c1f1f0592371f237aa4c8beea275_JaffaCakes118.exe	86
PID 1372 wrote to memory of 3656	1372	6163c1f1f0592371f237aa4c8beea275_JaffaCakes118.exe	86
PID 1372 wrote to memory of 3656	1372	6163c1f1f0592371f237aa4c8beea275_JaffaCakes118.exe	86
PID 5464 wrote to memory of 5516	5464	test.exe	98
PID 5464 wrote to memory of 5516	5464	test.exe	98
PID 5464 wrote to memory of 5516	5464	test.exe	98
PID 4232 wrote to memory of 3540	4232	test.exe	106
PID 4232 wrote to memory of 3540	4232	test.exe	106
PID 4232 wrote to memory of 3540	4232	test.exe	106
PID 4608 wrote to memory of 2432	4608	test.exe	114
PID 4608 wrote to memory of 2432	4608	test.exe	114
PID 4608 wrote to memory of 2432	4608	test.exe	114
PID 748 wrote to memory of 5104	748	test.exe	118
PID 748 wrote to memory of 5104	748	test.exe	118
PID 748 wrote to memory of 5104	748	test.exe	118
PID 3648 wrote to memory of 4360	3648	test.exe	123
PID 3648 wrote to memory of 4360	3648	test.exe	123
PID 3648 wrote to memory of 4360	3648	test.exe	123
PID 4332 wrote to memory of 5344	4332	test.exe	127
PID 4332 wrote to memory of 5344	4332	test.exe	127
PID 4332 wrote to memory of 5344	4332	test.exe	127
PID 5520 wrote to memory of 3084	5520	test.exe	140
PID 5520 wrote to memory of 3084	5520	test.exe	140
PID 5520 wrote to memory of 3084	5520	test.exe	140
PID 3416 wrote to memory of 5220	3416	test.exe	144
PID 3416 wrote to memory of 5220	3416	test.exe	144
PID 3416 wrote to memory of 5220	3416	test.exe	144
PID 540 wrote to memory of 3412	540	test.exe	150
PID 540 wrote to memory of 3412	540	test.exe	150
PID 540 wrote to memory of 3412	540	test.exe	150

C:\Users\Admin\AppData\Local\Temp\6163c1f1f0592371f237aa4c8beea275_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6163c1f1f0592371f237aa4c8beea275_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Executes dropped EXE
  PID:3656

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:1240

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5464
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:5516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 776
    3⤵
    - Program crash
    PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5516 -ip 5516
1⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 548
    3⤵
    - Program crash
    PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3540 -ip 3540
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:2432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 736
    3⤵
    - Program crash
    PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2432 -ip 2432
1⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:5104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 940
    3⤵
    - Program crash
    PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5104 -ip 5104
1⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 964
    3⤵
    - Program crash
    PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4360 -ip 4360
1⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:5344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 776
    3⤵
    - Program crash
    PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5344 -ip 5344
1⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5520
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:3084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 772
    3⤵
    - Program crash
    PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3084 -ip 3084
1⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:5220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 952
    3⤵
    - Program crash
    PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5220 -ip 5220
1⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\TEMP\test.exe
  "C:\Windows\TEMP\test.exe"
  2⤵
  - Executes dropped EXE
  PID:3412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 952
    3⤵
    - Program crash
    PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3412 -ip 3412
1⤵
PID:5940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
17KB

MD5
6163c1f1f0592371f237aa4c8beea275

SHA1
f48fb88fc63721e587693a2c25580ef2f9f94bc2

SHA256
5f9ed063bdf77fb7eb20387fa715fd2ff135f58fdf81c29a1d132f9110da78a7

SHA512
43f408045fa615befa2a0ec0ae5d4d80755994a43403e790d71e0cacda871c6459450e324aa71ef437ab62c4b34cf13abf298ef911eb7874b2a89d5d95839a6d

Download Submit
memory/540-125-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/540-118-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/748-67-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/748-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1240-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1372-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1372-24-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2432-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-104-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3412-127-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3416-113-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3416-107-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3540-45-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3648-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3648-78-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3656-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4232-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4232-43-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4332-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4332-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4360-80-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4608-55-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4608-49-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4608-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4788-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4788-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5104-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5220-115-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5344-92-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5464-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5516-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5520-102-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5520-95-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download