Overview

overview

7

Static

static

7

a01f06f36e...18.exe

windows7-x64

7

a01f06f36e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a01f06f36e4be328ea5b9939afbdb43b_JaffaCakes118.exe

  • Size

    159KB

  • MD5

    a01f06f36e4be328ea5b9939afbdb43b

  • SHA1

    801a6b7ba8b885e24ad8e924ef3ffafca69e2efb

  • SHA256

    723de228777235e5aba067d261e1eae26b5b08b5acd785814088d2dfef4b2964

  • SHA512

    fb5ed445ea0f25022ee8a73e0dcdf68da5c606402a5ec83c9bf904ed38e635499114b787285cc0d516533f5ac59fcf1be7d350e40610a70fdb3d2ff56058ef5e

  • SSDEEP

    3072:eZty12jmThk8KWg+GV7caWDsFpcST34GIKtG7F7uSL5Nbe40VwWAA80kXKj:Gy1+mThk/vtWibToGIUGh7FL5Y4680kW

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:384
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        2⤵
          PID:492
        • C:\Windows\system32\lsm.exe
          C:\Windows\system32\lsm.exe
          2⤵
            PID:500
        • C:\Windows\system32\winlogon.exe
          winlogon.exe
          1⤵
            PID:432
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            1⤵
              PID:604
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe
                2⤵
                  PID:1444
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  2⤵
                    PID:1600
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  1⤵
                    PID:684
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    1⤵
                      PID:768
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      1⤵
                        PID:820
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          2⤵
                            PID:1128
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          1⤵
                            PID:848
                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                              wmiadap.exe /F /T /R
                              2⤵
                                PID:2172
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              1⤵
                                PID:968
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k NetworkService
                                1⤵
                                  PID:280
                                • C:\Windows\System32\spoolsv.exe
                                  C:\Windows\System32\spoolsv.exe
                                  1⤵
                                    PID:1040
                                  • C:\Windows\system32\taskhost.exe
                                    "taskhost.exe"
                                    1⤵
                                      PID:1056
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                      1⤵
                                        PID:1116
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                          PID:1176
                                          • C:\Users\Admin\AppData\Local\Temp\a01f06f36e4be328ea5b9939afbdb43b_JaffaCakes118.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a01f06f36e4be328ea5b9939afbdb43b_JaffaCakes118.exe"
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:2352
                                        • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                          "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                          1⤵
                                            PID:1260
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                            1⤵
                                              PID:1572
                                            • C:\Windows\system32\sppsvc.exe
                                              C:\Windows\system32\sppsvc.exe
                                              1⤵
                                                PID:3012
                                              • C:\Users\Admin\AppData\Local\Temp\1540376265\zmstage.exe
                                                C:\Users\Admin\AppData\Local\Temp\1540376265\zmstage.exe
                                                1⤵
                                                  PID:2476

                                                Network

                                                MITRE ATT&CK Matrix

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • memory/1176-3-0x000000000EA00000-0x000000000EA32000-memory.dmp

                                                  Filesize

                                                  200KB

                                                  Download

                                                • memory/1176-52-0x000000000EA60000-0x000000000EA96000-memory.dmp

                                                  Filesize

                                                  216KB

                                                  Download

                                                • memory/2352-0-0x0000000000400000-0x000000000043A000-memory.dmp

                                                  Filesize

                                                  232KB

                                                  Download

                                                • memory/2352-1-0x0000000000020000-0x0000000000022000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/2352-2-0x0000000000400000-0x000000000043A000-memory.dmp

                                                  Filesize

                                                  232KB

                                                  Download

                                                • memory/2352-7-0x0000000000400000-0x000000000043A000-memory.dmp

                                                  Filesize

                                                  232KB

                                                  Download