a2d08018d13895342890f096ff1e072694910b8bedbef9e8b2463463599b4959

Analysis

max time kernel
142s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
Size

617KB
MD5

664d59e6abd751b006cf2df0e32600a4
SHA1

755f1163a7568f2bba4e397392c87ba480848deb
SHA256

a2d08018d13895342890f096ff1e072694910b8bedbef9e8b2463463599b4959
SHA512

089671de1bc60c980ea9ad43b8d066d2a3691e9ee396d185fe4fa4ae03cc844f77fd2fb8c7727127bd741b42f447bc6e04aa72adf3e2da70d28e83d919a72fb6
SSDEEP

6144:iiToL+5dbM74wLeQs6LpjzBWVDp6WqRQEB417STvM01XM/k9o+gluwtDQE/xGcQF:3ejlQwfNK55tSno

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4112	Qjyqaa.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3232-0-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral2/files/0x00080000000233c9-9.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File created	C:\Windows\Qjyqaa.exe	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File opened for modification	C:\Windows\Qjyqaa.exe	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Qjyqaa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Qjyqaa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
84772	4112	WerFault.exe	93

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	Qjyqaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe
4112	Qjyqaa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3232	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
4112	Qjyqaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4112	3232	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe	93
PID 3232 wrote to memory of 4112	3232	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe	93
PID 3232 wrote to memory of 4112	3232	664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\664d59e6abd751b006cf2df0e32600a4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\Qjyqaa.exe
  C:\Windows\Qjyqaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 824
    3⤵
    - Program crash
    PID:84772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4112 -ip 4112
1⤵
PID:84752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Qjyqaa.exe

Filesize
617KB

MD5
664d59e6abd751b006cf2df0e32600a4

SHA1
755f1163a7568f2bba4e397392c87ba480848deb

SHA256
a2d08018d13895342890f096ff1e072694910b8bedbef9e8b2463463599b4959

SHA512
089671de1bc60c980ea9ad43b8d066d2a3691e9ee396d185fe4fa4ae03cc844f77fd2fb8c7727127bd741b42f447bc6e04aa72adf3e2da70d28e83d919a72fb6

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
14127afaa9f5c37616bcfc9cd1efd506

SHA1
fdbc78faf296fa1a5276e56cedd1d3bc7b1e03b9

SHA256
4d98ecf51ff3a5351bd772ac4b6a06373b4f68638351e5c9a68e568c6a5f6355

SHA512
769769b203ae3ea78de0dbd36bba1072d6164a509858325960e53fcfcfe797f069e5c4ac930eae664f40e1905c0dd25ab432517d4b64c9ca4219c9e294cea3a5

Download Submit
memory/3232-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/3232-1-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3232-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3232-66507-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4112-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4112-134819-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4112-134822-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download