3ef4c5ea3b3e4ee6502d5e0df8c97198474453a56e14d060b1e67d6343e03200

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
Size

16KB
MD5

63d8c4e3082e05144b60ba96755ebb43
SHA1

a7476989423dc65bb6a7ba85ebb4dde9ce79fdeb
SHA256

3ef4c5ea3b3e4ee6502d5e0df8c97198474453a56e14d060b1e67d6343e03200
SHA512

be5ffb4865b2f9039d611034ec40dfa4a24ca5c30a14311ed953f9c35213df49e6559945cab9eaf099090e9633d7c5043b51109bf67d5d10752ef87841921445
SSDEEP

384:EQ2kuizI0H0DqoDlF2o4MjtNeeC1AyNBFg7:EQ5NzUuorVjbeeWg

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\smile = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe"	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
32	wcm.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/400-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-5-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-6-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-7-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-8-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-9-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-10-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-11-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-12-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-13-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-14-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-15-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-16-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-17-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/400-18-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
32	wcm.exe
32	wcm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 32	400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe	84
PID 400 wrote to memory of 32	400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe	84
PID 400 wrote to memory of 32	400	63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63d8c4e3082e05144b60ba96755ebb43_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\wcm.exe
  C:\Users\Admin\AppData\Local\Temp\wcm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wcm.exe

Filesize
10KB

MD5
e0909ba35a8b5d74608bc0427fef2c6c

SHA1
c190c3d8613d7c487a48ac7cb803eebc59533cce

SHA256
da46bba0358f73774719fbbec8667e6fcc6590d67feb3068d244ff7053c2f98d

SHA512
1a07c5d2518618941f6e466b8706abdd6dfa8f749ea7cf9bcf06a87e023063574425335e1c528d9a254dac1cf0de04a5cd88e31ba5aa9a2eacf60c3830d2d389

Download Submit
memory/400-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download