be48fcf0760558d0de4e79aa5f432a666c10d7e55b74dd63d0d628ef4a589f2a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
Size

22KB
MD5

26595ef93171e77c30c72444ba6e5db5
SHA1

b0db24ae3c620954ee696d323171508cc4cc223e
SHA256

be48fcf0760558d0de4e79aa5f432a666c10d7e55b74dd63d0d628ef4a589f2a
SHA512

8117b6411fdb1c6f2ad2f25d480ed7d116a762fdd36e6c29bc1961c70689f6ec2d8813c5566fd2ad7768cfe7e4eef22fbaee8a83ec509dc0a84970d2e1813b22
SSDEEP

384:GurXb/lfW2U8g+qeIBlr1TzG8wVpmKG9LDWojYE0WQctn:bbtfQ80bB/Tq8wjmU/cp

Score

8^/10

aspackv2

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\beep.sys 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
File created C:\Windows\SysWOW64\drivers\beep.sys ATI.exe
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

\Windows\SysWOW64\ATI.exe aspack_v212_v242
behavioral1/memory/2140-14-0x0000000000270000-0x0000000000278000-memory.dmp aspack_v212_v242
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3044 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

ATI.exe

pid process

2036 ATI.exe
Loads dropped DLL 2 IoCs

Processes:

26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe

pid process

2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\beep.sys	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\beep.sys	ATI.exe

resource	yara_rule
\Windows\SysWOW64\ATI.exe	aspack_v212_v242
behavioral1/memory/2140-14-0x0000000000270000-0x0000000000278000-memory.dmp	aspack_v212_v242

pid	process
3044	cmd.exe

pid	process
2036	ATI.exe

pid	process
2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ATI.exe	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ATI.exe	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ATI.exe	ATI.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

480
480
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exe

description pid process

Token: SeIncBasePriorityPrivilege 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege 2036 ATI.exe

pid	process
480
480

description	pid	process
Token: SeIncBasePriorityPrivilege	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2036	ATI.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exe

description	pid	process	target process
PID 2140 wrote to memory of 2036	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	ATI.exe
PID 2140 wrote to memory of 2036	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	ATI.exe
PID 2140 wrote to memory of 2036	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	ATI.exe
PID 2140 wrote to memory of 2036	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	ATI.exe
PID 2036 wrote to memory of 2148	2036	ATI.exe	cmd.exe
PID 2036 wrote to memory of 2148	2036	ATI.exe	cmd.exe
PID 2036 wrote to memory of 2148	2036	ATI.exe	cmd.exe
PID 2036 wrote to memory of 2148	2036	ATI.exe	cmd.exe
PID 2140 wrote to memory of 3044	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	cmd.exe
PID 2140 wrote to memory of 3044	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	cmd.exe
PID 2140 wrote to memory of 3044	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	cmd.exe
PID 2140 wrote to memory of 3044	2140	26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\ATI.exe
"C:\Windows\system32\ATI.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\ATI.exe > nul
3⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\26595E~1.EXE > nul
2⤵
- Deletes itself
PID:3044

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\beep.sys
Filesize
2KB

MD5
5fd668ad46277cc087c14569bd508f7b

SHA1
a401a642806991b49e39a08862fa5d462cf37bb6

SHA256
aeeb1db06947f713973e60e1e87e9d5e0de15904586137b55a37d88925222662

SHA512
51d303862887aec41d04bf1a00c1a43ca6c9f0ec91d2f0736a517250d11840e482c09e63447ec4ebc746b8328881d6fbd17ea401fc54e1044e41816f42175b1c

Download Submit
\Windows\SysWOW64\ATI.exe
Filesize
22KB

MD5
26595ef93171e77c30c72444ba6e5db5

SHA1
b0db24ae3c620954ee696d323171508cc4cc223e

SHA256
be48fcf0760558d0de4e79aa5f432a666c10d7e55b74dd63d0d628ef4a589f2a

SHA512
8117b6411fdb1c6f2ad2f25d480ed7d116a762fdd36e6c29bc1961c70689f6ec2d8813c5566fd2ad7768cfe7e4eef22fbaee8a83ec509dc0a84970d2e1813b22

Download Submit
memory/2036-15-0x0000000000400000-0x0000000000407028-memory.dmp

Filesize
28KB

Download
memory/2140-0-0x0000000000400000-0x0000000000407028-memory.dmp

Filesize
28KB

Download
memory/2140-5-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2140-14-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download