995944f6c4c46b45c34daf0ad286c2ce5670844c58c36f8422bc990bd8b10639

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 12:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe
Size

10KB
MD5

67a4b82bd6c793a5dc998169b805ee80
SHA1

f1420c75ca4dee1462c0a14bd3eca775ab1c08bf
SHA256

995944f6c4c46b45c34daf0ad286c2ce5670844c58c36f8422bc990bd8b10639
SHA512

86da6b53b1d8244fe4569843bf621a3809a977b5f755e638ccbbbb3f4d70797d4bb890a4f28cdf56f035a94704e9c0aa42df20fa0f35fd0da77859b9fb664caf
SSDEEP

192:OLFh4K314Ve8fts+xxx17p683gRJfxXkAPlQznGhnTHyqeKKLT:ObjqVe8fts+7x1lGRJfOWlQzMTH7O

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	dickusk.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe
2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-1-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000016dff-3.dat	upx
behavioral1/memory/2688-5-0x00000000002B0000-0x00000000002BF000-memory.dmp	upx
behavioral1/memory/2688-11-0x00000000002B0000-0x00000000002BF000-memory.dmp	upx
behavioral1/memory/2768-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2688-13-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2688-17-0x00000000002B0000-0x00000000002BF000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dickusk.exe	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dickus.dll	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dickusk.exe	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2768	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2768	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2768	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2768	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2660	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2660	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2660	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2660	2688	67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\dickusk.exe
  C:\Windows\system32\dickusk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67a4b82bd6c793a5dc998169b805ee80_JaffaCakes118.exe.bat

Filesize
210B

MD5
fbf0a1443dd113057b3e93ef7d8f4e66

SHA1
78f014671f464bb905a459e5bc72886b7240a536

SHA256
9f7f872fe33c145ab60a406bf53280bcea7c88eb5c89e452334a664e9c23f88f

SHA512
6a75142d844cfce1301d6efd0680baf18089370f020e51cbbc557443c5fd5c92a513f086160c0c18d873a930544119810ea5058769e2959d858a0ec23f052b13

Download Submit
\Windows\SysWOW64\dickusk.exe

Filesize
10KB

MD5
67a4b82bd6c793a5dc998169b805ee80

SHA1
f1420c75ca4dee1462c0a14bd3eca775ab1c08bf

SHA256
995944f6c4c46b45c34daf0ad286c2ce5670844c58c36f8422bc990bd8b10639

SHA512
86da6b53b1d8244fe4569843bf621a3809a977b5f755e638ccbbbb3f4d70797d4bb890a4f28cdf56f035a94704e9c0aa42df20fa0f35fd0da77859b9fb664caf

Download Submit
memory/2688-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2688-5-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2688-11-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2688-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2688-17-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/2768-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download