87cf2004c02c4ecff63ce17d16ddf887e38cd4a8256b3847c078f89a5204efae

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe
Size

23KB
MD5

77b76bdfceebc9e121909a05110a9a67
SHA1

49679fc9e65d328648194a66a14044bf64af01bc
SHA256

87cf2004c02c4ecff63ce17d16ddf887e38cd4a8256b3847c078f89a5204efae
SHA512

c0940efc55b2440d5c9fa97180796d1becfe86d5c8dbc15a9d5bed383e046c84d2e8b264079dc706bc7aabecfc44abb7ce541d8de50d6ea0e9485a48acdff10a
SSDEEP

384:Z3f7Pi4i+rK8Yn81j9cAyngJA62zbzo5etDA3+t0hNowt4uVml5e41L:ZzVr9mU5ks5s4WTe41

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2512	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1700-4-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1700-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1700-6-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2596-15-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1700-17-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe:ext.exe	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fci.exe	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fci.exe	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 1700	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1700	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1700	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1700	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1700	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1700	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2512	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2512	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2512	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2512	2596	77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77b76bdfceebc9e121909a05110a9a67_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\2228227.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2228227.bat

Filesize
263B

MD5
70f118f62c72d4c5fa76d08a6acd5a72

SHA1
ffa3f1d875f11e59f5e58b81743dee183131eba4

SHA256
7e8971e19eaf19a85538fa5f2911998e68fad4a465ab66370a4096d3334f34ca

SHA512
0a8c66e3cc6eed3325274b57e12b91115984df5db7dd07fc57724037d851764de9f5f13bcd252be52fca46fd6b39874c5bd40e9a797fa509516010fa464b8bff

Download Submit
memory/1700-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1700-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1700-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1700-6-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1700-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download