40714f10d395b3d50971a66923680015b8eab46668f96c2c9ce99c4001c725c1

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fa0634b3012327b19ea88157264620_JaffaCakes118.exe
Size

59KB
MD5

75fa0634b3012327b19ea88157264620
SHA1

cecbebaff4cba892eb301e25d46201ecd16ac7d1
SHA256

40714f10d395b3d50971a66923680015b8eab46668f96c2c9ce99c4001c725c1
SHA512

684c334d46243ed0eff7bf7baa3fd206a0abf2370bd1246ab84d1bf8f88743de34556cfcc4613d012c257d8c7da70f4526e32877ee8abda93662ced58dea186c
SSDEEP

1536:8lOXC8K8zFEqZWdFbBsufj2mWG1onzawil0CpuH/YXVMr:8oXC8vzK1bK2Ponzaw0pufEVMr

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1720	14fBC8B.tmp

Loads dropped DLL 2 IoCs

pid	Process
2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe
2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2316-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14fBC8B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1720	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1720	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1720	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1720	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2096	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2096	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2096	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2096	2316	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\75fa0634b3012327b19ea88157264620_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75fa0634b3012327b19ea88157264620_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\14fBC8B.tmp
  C:\Users\Admin\AppData\Local\Temp\14fBC8B.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\14fBC9C.tmp.cmd
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14fBC9C.tmp.cmd

Filesize
235B

MD5
b7c0e61ef14df6691ce3b0d068810aad

SHA1
c4d92203d573c90d3f41eb0d2fc4ec3c263d9b6b

SHA256
c2a0aa625460a0aacca4b5c176a5a713f46c21a7a297f42e7f3345f8523b07ca

SHA512
d339b7ef07bdd49944052612157fc604093c66c255f6733c1e8f5f08499b5ab9754339ada89e3378e6095a0718420fc3b89b8417e4635aba6a559741a0a52cd9

Download Submit
\Users\Admin\AppData\Local\Temp\14fBC8B.tmp

Filesize
16KB

MD5
c613a4db1422c55ce3dc2a017a616784

SHA1
bea93fdd5218325d4a0b0206479e37f6b6f75a9c

SHA256
b57c0ab29c32bc5c4a61d76f05af2fbee98f63c7aa3735cfd25b7e97eb71c151

SHA512
cb792d1b23a33dd39e8b684a16f328499a19e6355b45e93962d80e802d01595f00d5d327a908f6532e3ca08ce03e90318343c3bb94275af6850c0b969438e674

Download Submit
memory/1720-19-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2316-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2316-18-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2316-17-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2316-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download