c29a9769d7673c4528895f470f9fff457d1562fd2852a1d473aa041bd6ac6cf0

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe
Size

20KB
MD5

6623ca2c549cdf5eda35db5bb6e8d801
SHA1

e533fa425d3559bf07c46ef7a2e942d15a8926a5
SHA256

c29a9769d7673c4528895f470f9fff457d1562fd2852a1d473aa041bd6ac6cf0
SHA512

bcbda4bebed6262447f73c9c4d8f464092b3151ca05cd155e7b93261843d0efa70c5439c4f834dfb2d29b35f75ee8397ed368a983f4bf0650ba09f37db77616b
SSDEEP

384:AEXjm1njCHwnxYWGs5bZBxr3z/rPXnp9yzltICGZdXG7iGgDIzlbCct:9i9jGs5bZD3/PXnp9wltIloFgDIZCc

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000161fd-6.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1296-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1296-8-0x0000000010000000-0x000000001000D000-memory.dmp	upx
behavioral1/files/0x00080000000161fd-6.dat	upx
behavioral1/memory/1296-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\8vuj0j = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Servere.exe"	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	1296	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe
1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe
1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe
1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe
1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1240	1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe	21
PID 1296 wrote to memory of 2768	1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe	30
PID 1296 wrote to memory of 2768	1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe	30
PID 1296 wrote to memory of 2768	1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe	30
PID 1296 wrote to memory of 2768	1296	6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6623ca2c549cdf5eda35db5bb6e8d801_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 212
    3⤵
    - Program crash
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Rav30.dll

Filesize
14KB

MD5
457695d479991697c851a4f8d190b64f

SHA1
8513bf3f0647b5418a10b8d0488f153a6300e268

SHA256
773eb73cb74955ec7266c9cb683826334da90481adda209020620b68ba2229da

SHA512
f3eb1e8bd92bed1555bc776c271ed5eb41843d28af8ab159b9797bb7f752347ac554dff556134920183518adbaa06d4508acf51fc747d2edadb07ee99b1fbed3

Download Submit
memory/1240-5-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1296-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1296-8-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/1296-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download