4497407c4efd9e162826c298527edf38d810d5afc46c5b3c52540b27ba4160ce

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

674fc601810b0696fffa697ea180245e_JaffaCakes118.exe
Size

389KB
MD5

674fc601810b0696fffa697ea180245e
SHA1

7c6bfb489aaf5fda6648bae870740b9e2e000f80
SHA256

4497407c4efd9e162826c298527edf38d810d5afc46c5b3c52540b27ba4160ce
SHA512

e79c7742de51013d42ba675a969fd346aab87e27de8bc5e1ac270f2bdcf23c314756cdd32a652c7b75b874d5b9a617fc1f912268318b79ed3f418e5083800878
SSDEEP

12288:TWqOtTB1A7suqCVl+qFm3EKznJpIYdoE9KLLOTG:atTcsSO3JbdBZG

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2828	ÁúÖ®¹È.exe
2436	xxxa.exe

Loads dropped DLL 7 IoCs

pid	Process
2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe
2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe
2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe
2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d2a-13.dat	upx
behavioral1/memory/2436-18-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2436-22-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2832	2436	WerFault.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2828	ÁúÖ®¹È.exe
2828	ÁúÖ®¹È.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2828	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2828	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2828	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2828	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2436	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2436	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2436	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2436	2292	674fc601810b0696fffa697ea180245e_JaffaCakes118.exe	32
PID 2436 wrote to memory of 2832	2436	xxxa.exe	33
PID 2436 wrote to memory of 2832	2436	xxxa.exe	33
PID 2436 wrote to memory of 2832	2436	xxxa.exe	33
PID 2436 wrote to memory of 2832	2436	xxxa.exe	33

C:\Users\Admin\AppData\Local\Temp\674fc601810b0696fffa697ea180245e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\674fc601810b0696fffa697ea180245e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\Temp\ÁúÖ®¹È.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\ÁúÖ®¹È.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\Temp\xxxa.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\xxxa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\ÁúÖ®¹È.exe

Filesize
620KB

MD5
507831ac6bc29efc34ee9fc48e683c22

SHA1
fddd79e653ac105190d9c1e20e7a12a8843c75cd

SHA256
0fd90c3e90013b1c444fa0a968d3b7352567b87ebb2feb4556d30efa25c763b9

SHA512
1883c9f09b07e6bf150791d580cc256e5248db372c98900332b1f643e908d21f0e12c054c3eca385ef36f3235b21878630b0d1cf60a6b647377c78e94ba390de

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\xxxa.exe

Filesize
34KB

MD5
60ade42f0ebabf352152afe80e9b7056

SHA1
77c253c78bed466431a83dc43da487123c2c9b5e

SHA256
95d891c1aa0322d4d961a72cb05b760dc81a30e6505d98c0936d22a7066739f4

SHA512
96b9793ae2cb0053eca17f36d0e68e371aaad84df7bbf88253af4a2c58737e69815eb72167cfd4910769f8978eb8b5261171fae6354548072fe93931224cf376

Download Submit
memory/2436-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2436-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download