9638581a59653c0d6f01110be90cfaf13b15ab91b3839ee9d46dce33f26e6a2b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe
Size

370KB
MD5

633b2db9da9af8ce7f6c14acbd24770a
SHA1

7c6d4fc0cddb0213fc98421167f75e5d7afe27fe
SHA256

9638581a59653c0d6f01110be90cfaf13b15ab91b3839ee9d46dce33f26e6a2b
SHA512

fac63132db6d52d55c10618dac00f3b4ffe7cc1ddc5284dd90da5e24f447366273aea7712590ab36a2f243535e7c095c4b29bef9f6ba54db4b3993ee55a52172
SSDEEP

3072:zXjoutudpVpg4fq0SjJpyHwwwkrqxGrDgaghZuRaaaPaAtzVSR+5MCG:zXjoSEVC4fq0QWBrrDz3WtzVSA5MC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe
2812	633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2812-1-0x0000000000400000-0x00000000004BF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2688	2812	633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2688	2812	633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2688	2812	633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2688	2812	633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2608	2688	b2e.exe	31
PID 2688 wrote to memory of 2608	2688	b2e.exe	31
PID 2688 wrote to memory of 2608	2688	b2e.exe	31
PID 2688 wrote to memory of 2608	2688	b2e.exe	31
PID 2688 wrote to memory of 2616	2688	b2e.exe	33
PID 2688 wrote to memory of 2616	2688	b2e.exe	33
PID 2688 wrote to memory of 2616	2688	b2e.exe	33
PID 2688 wrote to memory of 2616	2688	b2e.exe	33

C:\Users\Admin\AppData\Local\Temp\633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\5A60.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\5A60.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5A60.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\633b2db9da9af8ce7f6c14acbd24770a_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\batfile.bat" "
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B2B.tmp\batfile.bat

Filesize
158B

MD5
2ebd35710cdf46a6bfc1b7a9a573e991

SHA1
c52403395a0b51b50cd550e97d8cc260605bc873

SHA256
52ca6a8fe69ab59ca99b72500f5a9baadbe277ca0dea6dd8462acb322678a146

SHA512
d2907d3fe5c3c44f8fb08e233671a9cf268f647e9cd7780c46b3db7afe74b5c59a410ac4993dd5e5a928b6dc5e95d31e6bebc34e1bf9746b6dab6283d798ea8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
b3334373c225b6becd3224ba23db04a2

SHA1
08a73a319e68cc0234ef4c688592837693176818

SHA256
061204d888051bb40db66c4b7c2cd5a697336ea06f5c299a74e9cc0f34aa5f42

SHA512
539d8315b2a0e42fc44f1351362c6c2b46f0cfe26edcbb79f1449c086d4078e4955e868dec86a5e3c0bd07af86b60bc2077365ef73f910f3badc816b2958d66a

Download Submit
\Users\Admin\AppData\Local\Temp\5A60.tmp\b2e.exe

Filesize
8KB

MD5
b59836f8bce4b7a9c5c44bd3d77bbc05

SHA1
deef3c038817d8af51ebae1c9b547bdeafe90500

SHA256
82b620227e2ff4eecdc396367ef3cd090db387d5fa9c28be98296892acbe0952

SHA512
ba329fecfd4367fdc26b9daa3974e62d27b4763d850f182246ad2f27f8dcb445ec803b576d617d93881d774f2b19a437fef0909c8a637ec9fc2b3380113095d6

Download Submit
memory/2688-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2688-36-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download