b3fded9fc0dc26ed46c5977b9e72e58e91c3e49a99d17a912dae53beb7cabd12

Analysis

max time kernel
141s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
Size

206KB
MD5

7841a99b47d35a121afa5f6065a73c23
SHA1

4e99899fb4c76f94d9948fe2c5074a0508524afb
SHA256

b3fded9fc0dc26ed46c5977b9e72e58e91c3e49a99d17a912dae53beb7cabd12
SHA512

7cc3c3ca8a26ef44a87d8a703b5cc3ade79a7f7374ffab11e1e0c04b6f0bd218a46091ed3ceacda6b258e3472a87c87e618307f53c74f21ff638593a9333bf92
SSDEEP

6144:fOdPMlDovWyRsIkQ2MqPGlMy4kuG7b+Z/PZbq:fOKlDSWieRLhMCZ/B

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2320-1-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1816-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/1816-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2320-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2728-82-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2728-81-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2728-83-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2320-187-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1816	2320	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	85
PID 2320 wrote to memory of 1816	2320	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	85
PID 2320 wrote to memory of 1816	2320	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	85
PID 2320 wrote to memory of 2728	2320	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	96
PID 2320 wrote to memory of 2728	2320	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	96
PID 2320 wrote to memory of 2728	2320	7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\7841a99b47d35a121afa5f6065a73c23_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\77DD.91B

Filesize
600B

MD5
8b6b8af40eee8ae73f836acc1e6b51d7

SHA1
8ecf2d1e4b925b342c2a9496d7743415b3c77dce

SHA256
03c5f9342502acec63eab1cea3b8602a51ae6fdfaddd88c0c7de127cc8f3639f

SHA512
2509438fbb6070c36ffa594d059881e30ec72954129519978f25194d393de943cc4a9b532d784121da777dc0f80a3ade05ca4f0b0f73781e022847ab01bd3c4a

Download Submit
C:\Users\Admin\AppData\Roaming\77DD.91B

Filesize
1KB

MD5
43d171695f00f2f8de8bd719da01d00c

SHA1
449c9a2e85ef622247d80ad6812e75125a64fe6a

SHA256
a91f80d0c52c985adf01c6eac62da4a8d0dcbbb1168f41ce02482fe0c901412a

SHA512
ee2e056c3bb837245c06fc86fbe77be367f67eb9b3efbeeb290b622c2219a81526e34a286bc6f31c4dd1c0fd3f2a97b570564a6ea2ccf6509287fcc2e66952a1

Download Submit
C:\Users\Admin\AppData\Roaming\77DD.91B

Filesize
996B

MD5
49e40007ad21ed2d71d7e63c50512e2d

SHA1
2f7fa09f06dca61baacd14353cfa07dbf76e8f22

SHA256
35f3eedb65af5aed4a94882668dd0a3cdd899055a17de3af66dcf231cdfcbca2

SHA512
1a73f2271d288c10e1f874f4f1eb75ca8f744a0e9498bf495fd6dfe07b3c6e6d5bb606cd70915eb87acc86859c181beb11ef1eaf087ad5f7508758dc86d9cbd7

Download Submit
memory/1816-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1816-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2320-1-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2320-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2320-187-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2728-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2728-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2728-83-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download