0d69d7256a2adc7b7fa44b24c6a36997094f5ac82d7020cc467ea69c26df9aaa

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 08:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73457dc8deda3b124982973f08186340_JaffaCakes118.exe
Size

21KB
MD5

73457dc8deda3b124982973f08186340
SHA1

090afbcd916efd7c838f194a0be0263ec86418a6
SHA256

0d69d7256a2adc7b7fa44b24c6a36997094f5ac82d7020cc467ea69c26df9aaa
SHA512

76cc7bdd8bb52491c2db21a3a013efb6a708f870e8f2db26132222573a5b395d039948f9d330440889cf801aa94219f24654e78ca2d79e6368c577d4ec4e95b9
SSDEEP

384:Xl0RyHxDcZX9n5YcxEGVYKGn29zM+ApRQcw45uZawinuMExBxfLDR2fTW:10yRDcZX9n1EGV37ADx5u45iHgi

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2652-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2652-3-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73457dc8deda3b124982973f08186340_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2792	2652	73457dc8deda3b124982973f08186340_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2792	2652	73457dc8deda3b124982973f08186340_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2792	2652	73457dc8deda3b124982973f08186340_JaffaCakes118.exe	30
PID 2652 wrote to memory of 2792	2652	73457dc8deda3b124982973f08186340_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\73457dc8deda3b124982973f08186340_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73457dc8deda3b124982973f08186340_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\a..bat" > nul 2> nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a..bat

Filesize
238B

MD5
1c1353e5cbb3939048bb6d00886d572f

SHA1
e7ff71a9ba86352474ab225a10245f15dc7355df

SHA256
5b380e9ab223bd6ae50afa25f304c9526681ba4ca6c39e6be23bb44c3d562b13

SHA512
1af50f2ebf262c83fa6c987ea4816ec9557b0dfef388c33c6797f973b71b9560a93fa122116437f7400ba935cd77cc4ef82abe42b75336660af2a20d4123d78f

Download Submit
memory/2652-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2652-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2652-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download