a4c8599bd7d7bec3165eb6e505a2bc5a0d40fbc0d6fccbb3c54de7c863d0f983

Analysis

max time kernel
141s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe
Size

345KB
MD5

7456ef5009b71796d7c88f906fd085b5
SHA1

b53acc53e78f27ca8df55e73c0dd1e1e419b0b19
SHA256

a4c8599bd7d7bec3165eb6e505a2bc5a0d40fbc0d6fccbb3c54de7c863d0f983
SHA512

fce36020c799fbd7d3efe3eed7907a958914bc8f326c27436464d7aaa0812bad492f15674acc97b08a4d312381a5fd81c006926ffbc31c05558e7748d86bed37
SSDEEP

6144:f8R4vZ5tMMFUMK4wBgFb1TLd81X04RxiFD14xXRNXMbl2C8P2:ERmXtMFMvwmb1TLK1/STKErb

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1520	018m3.exe

Loads dropped DLL 6 IoCs

pid	Process
2604	cmd.exe
2604	cmd.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018b4d-68.dat	upx
behavioral1/memory/1520-72-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1520-77-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2240	1520	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	018m3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1580	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	29
PID 2348 wrote to memory of 1580	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	29
PID 2348 wrote to memory of 1580	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	29
PID 2348 wrote to memory of 1580	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	29
PID 2348 wrote to memory of 2604	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2604	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2604	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2604	2348	7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe	30
PID 2604 wrote to memory of 1520	2604	cmd.exe	33
PID 2604 wrote to memory of 1520	2604	cmd.exe	33
PID 2604 wrote to memory of 1520	2604	cmd.exe	33
PID 2604 wrote to memory of 1520	2604	cmd.exe	33
PID 1520 wrote to memory of 2240	1520	018m3.exe	34
PID 1520 wrote to memory of 2240	1520	018m3.exe	34
PID 1520 wrote to memory of 2240	1520	018m3.exe	34
PID 1520 wrote to memory of 2240	1520	018m3.exe	34

C:\Users\Admin\AppData\Local\Temp\7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7456ef5009b71796d7c88f906fd085b5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\DNF Ð¡·è¸¨Öú¹¤¾ß1.3.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\018m3.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\Temp\018m3.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp\018m3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 116
      4⤵
      Loads dropped DLL
      Program crash
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\018m3.exe

Filesize
23KB

MD5
870f9ac687eaa2708c507020eb2fa0df

SHA1
b5d032d61b54b13f91e893a19ca4811eebe41af6

SHA256
8a9a64697bee09a45df0ad1f64c2caa38f3df7a544cafda239bef958e7c1b5e4

SHA512
5ea5d5b2d0345857bfdf5ff038f3f3e78702f205d16279102209c092ea5e18488a260cf3fdef559d5be0d1a331d87a69cc4ad3d6d08a85b8fe56b1bf5159e6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\018m3.exe.bat

Filesize
166B

MD5
e07ff3c3167eec8b4daaddb53714789c

SHA1
bf94cceeb6f11c09aa2ad14b26b04def1627f682

SHA256
ab749bb993f3ed93cee8a647b6c33181f08e5c7a7df9bb7bf45caf326c0d508d

SHA512
14141cf93f37d1c4d93696e103248f4c549a29c92ef6101ebdad59219febe3eeb4569d448aeb509c308900aa8e4443b85e458ce41f61b2de8baeb498005573c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\DNF Ð¡·è¸¨Öú¹¤¾ß1.3.exe.bat

Filesize
208B

MD5
b988732cdc765fb16a0b660f36c1d0c8

SHA1
cc217fda0debf217a9a9cbab852eee59bdb0c940

SHA256
504e3dd811c176926b228a0f39f819edf3271f5a78cbdfcc22adf3aa32641b9a

SHA512
89ad0de7f7aed11ab6e7819fa832054ee3802a612cc52c760d548684526b5c75769b3b7d39673dd9cd348570da677f9897042c76b60ec84c0bdb84eaec3673dd

Download Submit
memory/1520-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1520-77-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2348-34-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-7-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2348-11-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2348-10-0x0000000002700000-0x0000000002707000-memory.dmp

Filesize
28KB

Download
memory/2348-9-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2348-8-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2348-30-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-6-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2348-5-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2348-4-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2348-3-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2348-29-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-43-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2348-42-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2348-41-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2348-40-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2348-39-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2348-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2348-37-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2348-36-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2348-31-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x00000000004B0000-0x00000000004FC000-memory.dmp

Filesize
304KB

Download
memory/2348-33-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-32-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-35-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2348-2-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2348-28-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-27-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-26-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-25-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-24-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-23-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-22-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-21-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-20-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-19-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-18-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-17-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-16-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-15-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2348-14-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-13-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2348-12-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2348-64-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2348-63-0x00000000004B0000-0x00000000004FC000-memory.dmp

Filesize
304KB

Download
memory/2604-69-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/2604-79-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/2604-80-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download