469ba12866ab891a48f252348f3d794e434cc7db3a95aa52bad50896e1b5a6aa

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe
Size

443KB
MD5

65885257742e286a25fc6c64fb809b8d
SHA1

b53132106e71dbc27407a7655a2e8d1b3c8c1472
SHA256

469ba12866ab891a48f252348f3d794e434cc7db3a95aa52bad50896e1b5a6aa
SHA512

ae36abe54fa2776043de0f4770109d3d6143a9c25ba10bfb4b4761fb988640b5570c838da755035e52ccaa53aa50891c05a84712a848467db3c4e25ecb64911d
SSDEEP

12288:djHXtuvJ5OTJpD6hLsMMDg/bD6ooBESJ:dhWiTJt6dDMMHa

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	pD01803OjGmE01803.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	pD01803OjGmE01803.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe
1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-1-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/memory/1928-2-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1928-20-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1928-19-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/memory/2756-22-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2756-23-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2756-32-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2756-41-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pD01803OjGmE01803 = "C:\\ProgramData\\pD01803OjGmE01803\\pD01803OjGmE01803.exe"	pD01803OjGmE01803.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	pD01803OjGmE01803.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe
Token: SeDebugPrivilege	2756	pD01803OjGmE01803.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2756	pD01803OjGmE01803.exe
2756	pD01803OjGmE01803.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2756	1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2756	1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2756	1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2756	1928	65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\ProgramData\pD01803OjGmE01803\pD01803OjGmE01803.exe
  "C:\ProgramData\pD01803OjGmE01803\pD01803OjGmE01803.exe" "C:\Users\Admin\AppData\Local\Temp\65885257742e286a25fc6c64fb809b8d_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pD01803OjGmE01803\pD01803OjGmE01803

Filesize
192B

MD5
6a2b44dc9216a2168e8cf2d3b55c2d52

SHA1
564436ec7da1939887d84b9cdefb0de5c922df39

SHA256
2343d9b904fb75375fbf8363afbdbc0540b254dec7f682dbacda4680fabb80be

SHA512
19343c7c511843c54fbc82373b4ba000fbb81dfccaab30b8ce6ceaf7d57f2638c0377824917efe97b30e6f90ff25e807edf45de0fd56b46c0453e0382d68e4ca

Download Submit
\ProgramData\pD01803OjGmE01803\pD01803OjGmE01803.exe

Filesize
443KB

MD5
54e3e3d2c777801083b0a6c9e739fcce

SHA1
f954884dc88ce81c18f3c855b92202299cbfc3e6

SHA256
3714b417c05fe3c8c6e9c26368fd58edc251d9d25827b21ee2be6009117a8ee4

SHA512
917f2e9c9ec2ef6d82d83e5ac845b9bf2cb2af3db8cc87fc6cfefadd8ba7a1d8a3be7718ebefde645cfb8dfdd8002570d504fa115a6fc2af827e368f77bcf951

Download Submit
memory/1928-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1928-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1928-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1928-19-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2756-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2756-23-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2756-32-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2756-41-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download