e8f5608b361e6c9a35b4cdc5bf0a386a9e00d77d0d6efb12149f30ebcdae33fc

Analysis

max time kernel
133s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe
Size

41KB
MD5

76d0bcdfd638f4ef0c4385b0148bdf3d
SHA1

8db4cc8d2a8d1757012a22c0b60db2f0ca219f18
SHA256

e8f5608b361e6c9a35b4cdc5bf0a386a9e00d77d0d6efb12149f30ebcdae33fc
SHA512

42a312917131ff941b0e4008901afc6241fe3f3ea4f756ccd0af321f65135ae1910975b2646a3d3ca2f7548bde42c7418ace0a68bfb8a42c16d8ebaac014bdb9
SSDEEP

768:6x2ZiddEC7lRaqtcSI3QpG3bvb2m9RkUT4rdlnjUsWc5ax3deVFv0fGJPLVbPi:6ATWlsCNI3bvyyb2FjUmMe+GJP5ji

Score

8^/10

aspackv2 discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	livevideo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ErrorReportSent = "C:\\Users\\Admin\\AppData\\Roaming\\livevideo.exe"	livevideo.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00090000000233fe-3.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
836	livevideo.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	livevideo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 836	5088	76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe	84
PID 5088 wrote to memory of 836	5088	76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe	84
PID 5088 wrote to memory of 836	5088	76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe	84
PID 5088 wrote to memory of 2392	5088	76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe	85
PID 5088 wrote to memory of 2392	5088	76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe	85
PID 5088 wrote to memory of 2392	5088	76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76d0bcdfd638f4ef0c4385b0148bdf3d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Roaming\livevideo.exe
  C:\Users\Admin\AppData\Roaming\livevideo.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c UNISTA~1.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat

Filesize
88B

MD5
a97b91e5630f11085cbcfe54ae827e91

SHA1
7726460967c5f3ed3a2e92d9d89d80e60846ce3f

SHA256
478395cf710d0f7980516e0c2c16c634e5a1523c1a07b7fea777ae595045ec03

SHA512
86b4ad4749c5a012b19edb35cfcf41edbd2bb55dea20165974060ed1944efcc9ce7bdb0b57d84ee713720f862ca85c293a197169a07d564240811a70b64ed915

Download Submit
C:\Users\Admin\AppData\Roaming\livevideo.exe

Filesize
41KB

MD5
2545f62279fbd2b78d2506922d038e85

SHA1
13fd6dbde5b1573a29c0d99cc75f77b67591fdf0

SHA256
28781b0cf811fa573541af7ff379484a68dad5489d82b4f9f5edcd8d6592c086

SHA512
bc6db5d7da730f4960de321dc570060a147d91a9079b57e59c3abd7806465640dad30a290d9be14e9e93419378b10c925b9dd792c342284977b5d03a11aae740

Download Submit
memory/836-5-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5088-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads