e37a6a4cc0f256106b82b2883f8864dcf78ecb401e34893150237a3ee616c828

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe
Size

140KB
MD5

78f4285855a7ffb1e35792b5f39d3e2e
SHA1

14258e9d3c50c60ff031c7d9c3fd179e7e1b4d27
SHA256

e37a6a4cc0f256106b82b2883f8864dcf78ecb401e34893150237a3ee616c828
SHA512

7e6307019f5082bd2e5905978b7e2095bc5b5db0b966b0eb10f646213bbcb92ab9caff8246cbc0ad6e8f4487e49e600925d6dc2369bf11463adfb51d7214f597
SSDEEP

3072:SEI0C2ukzLWRcS0KiWxKhbXGPYZeIUDy1EG0F9UVFiG:Sj2hnEhDK5hHUU4G

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000174a8-17.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2712	APP-2.Exe

Loads dropped DLL 4 IoCs

pid	Process
2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe
2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe
2712	APP-2.Exe
2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000174a8-17.dat	upx
behavioral1/memory/2712-19-0x0000000000290000-0x000000000029E000-memory.dmp	upx
behavioral1/memory/2280-22-0x0000000000630000-0x000000000063E000-memory.dmp	upx
behavioral1/memory/2280-24-0x0000000000630000-0x000000000063E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\APP-2nq.dll	APP-2.Exe
File created	C:\Windows\SysWOW64\APP-2nq.dll	APP-2.Exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	APP-2.Exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe
2712	APP-2.Exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2712	2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2712	2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2712	2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2712	2280	78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78f4285855a7ffb1e35792b5f39d3e2e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\APP-2.Exe
  C:\Users\Admin\AppData\Local\Temp\APP-2.Exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\APP-2.exe

Filesize
15KB

MD5
58173a27ad0e8c0cc8b512260935363b

SHA1
e6c2be12af570455a9ba25d888020e4f785e7363

SHA256
6547328ca7922e29eb4617efda778b4fa100b0eec5cd705a22f66955e6e40d99

SHA512
a4ba12736ee641a72cc41b1f53aac553e0bec596849a0a710751e60ee5f224e65cb5262ff18fc694136a9faba3fb7dd2242e84948314630a18dcdeebc4fbb3bf

Download Submit
\Windows\SysWOW64\APP-2nq.dll

Filesize
13KB

MD5
271f912de7b8efbe9884d7e2ac5bb081

SHA1
1032049dc2501445ffc61f0351f2f622266144e1

SHA256
ca3a665198760df2b70669cc2387398dc6df9e7b79ca05dd137fdca2f65200f8

SHA512
920daf04bdf3dcc924ef958ff644f465fdb4e9d61ae9b7dbe7f997ac61278237fecc10cdb3cda0b79c3daa844d757cae5fa8575e419517d340dcc6034d8fe2a1

Download Submit
memory/2280-11-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download
memory/2280-10-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download
memory/2280-22-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2280-24-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2712-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2712-19-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2712-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download