d066b0c6ebcfea6ee042815ed5ff7fb37354894e88b79a18910192f6064f513f

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe
Size

483KB
MD5

63baef9dd79f5fb9c058c8510f7bc453
SHA1

36a182ed61badcf53ba9f79a710938abedcea09a
SHA256

d066b0c6ebcfea6ee042815ed5ff7fb37354894e88b79a18910192f6064f513f
SHA512

a0fa2e15c8592e1b3fbce037b10c3424ac770999a9b5a61c4575f57cfe38bda55bac166a6ee36600125ea00fecfe1db2ecf316c99d80139f71e94691ec248425
SSDEEP

12288:CXk1IX7HbiyqI6H1RB6iLlO7nahO7MfV34hwoS:2k1IXj2y96HJ9LloqO7MfV3

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	gB01821AdJgM01821.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	gB01821AdJgM01821.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2524-0-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2524-8-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/files/0x000800000001660d-12.dat	upx
behavioral1/memory/2708-17-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2708-26-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2524-20-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2524-19-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2524-16-0x00000000029B0000-0x0000000002A85000-memory.dmp	upx
behavioral1/memory/2708-30-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2708-31-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2708-41-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gB01821AdJgM01821 = "C:\\ProgramData\\gB01821AdJgM01821\\gB01821AdJgM01821.exe"	gB01821AdJgM01821.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	gB01821AdJgM01821.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe
Token: SeDebugPrivilege	2708	gB01821AdJgM01821.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	gB01821AdJgM01821.exe
2708	gB01821AdJgM01821.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2708	2524	63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2708	2524	63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2708	2524	63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2708	2524	63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\ProgramData\gB01821AdJgM01821\gB01821AdJgM01821.exe
  "C:\ProgramData\gB01821AdJgM01821\gB01821AdJgM01821.exe" "C:\Users\Admin\AppData\Local\Temp\63baef9dd79f5fb9c058c8510f7bc453_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gB01821AdJgM01821\gB01821AdJgM01821

Filesize
192B

MD5
0b0a323ee2fbb3b4409ad5c2ad492215

SHA1
091bc6d553765e8594dc3f7b90e8c1bd7aacf8ce

SHA256
b201f818842521129cb085752117a2e7ec3ab5f019d988c990d8f7048182750f

SHA512
4ca523b4885b3b8f567db5eab4abb79c49a2cd123e6713f72bafdd449fa7ea00b91d7796f8f66629a958e6a553c241ad1e5285179e4f5c67db74f3a9b61ab4c1

Download Submit
\ProgramData\gB01821AdJgM01821\gB01821AdJgM01821.exe

Filesize
483KB

MD5
f6310a8e9cfeb367389234eade7afad8

SHA1
6940b45fbc020d150779ad5ded404b0852e130df

SHA256
75daa2e3fd2669f2ecf674ffbc873833cd2950a0da085293a911521a1a1a96a1

SHA512
263d92a46980f971562fe0028271ae7c73952bf84402da1491350566b40cb7db5777dd4ffe1e226eeb483bbc9b08cf97137ecce6cb90d3871afe04b1acfdc5dc

Download Submit
memory/2524-8-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2524-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2524-1-0x0000000000290000-0x0000000000336000-memory.dmp

Filesize
664KB

Download
memory/2524-2-0x00000000020F0000-0x0000000002143000-memory.dmp

Filesize
332KB

Download
memory/2524-20-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2524-19-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2524-16-0x00000000029B0000-0x0000000002A85000-memory.dmp

Filesize
852KB

Download
memory/2708-17-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2708-26-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2708-30-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2708-31-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2708-41-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download