40714f10d395b3d50971a66923680015b8eab46668f96c2c9ce99c4001c725c1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fa0634b3012327b19ea88157264620_JaffaCakes118.exe
Size

59KB
MD5

75fa0634b3012327b19ea88157264620
SHA1

cecbebaff4cba892eb301e25d46201ecd16ac7d1
SHA256

40714f10d395b3d50971a66923680015b8eab46668f96c2c9ce99c4001c725c1
SHA512

684c334d46243ed0eff7bf7baa3fd206a0abf2370bd1246ab84d1bf8f88743de34556cfcc4613d012c257d8c7da70f4526e32877ee8abda93662ced58dea186c
SSDEEP

1536:8lOXC8K8zFEqZWdFbBsufj2mWG1onzawil0CpuH/YXVMr:8oXC8vzK1bK2Ponzaw0pufEVMr

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5032	14fC6DA.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/752-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/752-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14fC6DA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
752	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 5032	752	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	84
PID 752 wrote to memory of 5032	752	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	84
PID 752 wrote to memory of 5032	752	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	84
PID 752 wrote to memory of 3920	752	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	85
PID 752 wrote to memory of 3920	752	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	85
PID 752 wrote to memory of 3920	752	75fa0634b3012327b19ea88157264620_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\75fa0634b3012327b19ea88157264620_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75fa0634b3012327b19ea88157264620_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\14fC6DA.tmp
  C:\Users\Admin\AppData\Local\Temp\14fC6DA.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\14fC6EB.tmp.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14fC6DA.tmp.tmp

Filesize
16KB

MD5
045087bbb2049c6006c59e3811867e71

SHA1
d163250a41f3e6920a6df6d9e0a4f165dffc85c7

SHA256
1c0efa02c16286a9b60a3236383152111854439f68dc203199fb034dbdf61244

SHA512
a416fde6a8176b2a237c246ccade72f91ef27788e0217b40b1525bd9de735600a987f97f71f57ed3f61fb582b67f31cde7de72e97a554d7ee2bf7a7abc0f1718

Download Submit
C:\Users\Admin\AppData\Local\Temp\14fC6EB.tmp.cmd

Filesize
235B

MD5
b7c0e61ef14df6691ce3b0d068810aad

SHA1
c4d92203d573c90d3f41eb0d2fc4ec3c263d9b6b

SHA256
c2a0aa625460a0aacca4b5c176a5a713f46c21a7a297f42e7f3345f8523b07ca

SHA512
d339b7ef07bdd49944052612157fc604093c66c255f6733c1e8f5f08499b5ab9754339ada89e3378e6095a0718420fc3b89b8417e4635aba6a559741a0a52cd9

Download Submit
memory/752-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/752-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5032-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5032-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download