7a09bb011ae01115faf3ffdfc98b18e3f342decde9bbc345bae35b8152fa0afc

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
Size

92KB
MD5

0076e38ce4e63a212d9e1e2e53e19f12
SHA1

4585aa54d71ca227f83ec52dc5e87defc4d005f0
SHA256

7a09bb011ae01115faf3ffdfc98b18e3f342decde9bbc345bae35b8152fa0afc
SHA512

69525a4e7b81c65378027b49e3b3870616e2a185a91403e5d6ec33d67ae8a8b319fe98da271ee91303d9e794db66ac8124a37118cfe0fdbf5bd7f927e64ba493
SSDEEP

1536:5lrsicagdzn8K2ariPOcjk+XQuPVN72NMSnrHIMm5iZbJUP7L++E4/:5JjcF8KfCOcjk+guPVjSnrGwM6x4/

Score

7^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2512-3-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/files/0x0009000000016cef-6.dat	upx
behavioral1/memory/2512-35-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winxcfg.exe	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\wife in kitchen preparing hot pussy for hubby's dinner.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\honies letting dudes flush mouths full of hot cum.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\two studs gangbanging a hot little sluts holes.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\firm ass honie with thick lips made for sucking rods.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Counter Strike CD Keygen.exe	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Pamela Anderson And Tommy Lee Home Video (Part 1).mpg.exe	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\babes taking turns munching on hot beavers.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\uncle fred spanking his young nieces little ass.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\happy babe who got 12 inches last night.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\hot actress heather graham naked.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\ICQ Hackingtools.exe	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\blonde doing dildo outdoors.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Harry Potter and the sorcerors stone.divx.exe	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\yummy lesbos licking.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\hot babes having too much fun at nude beach party.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\sexy blonde teasing pussy.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\strange asian ass odyssey.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\toying blonde with fucking machine.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\cum hungry slut accepting goop.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\sexy hot looking horny ebony teens.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\brazilian supermodel adriana lima.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Warcraft 3 battle.net serial generator.exe	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\career girls playing with their snatch after work.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\senior blonde fucking and suckin like a teen.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\babe doing boyfriend and his buddy.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\jenna jameson - built for speed.exe	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\chicks working orgasm from dude's cock as a present.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\honie with thick ass spreading her money maker.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\babes with an assortment of delicious big juggs.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\beautiful blonde gettin an anal fucking.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\2 horny babes doing 1 lucky dude.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\fat grannies action.mpg.pif	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0076e38ce4e63a212d9e1e2e53e19f12_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\Harry Potter and the sorcerors stone.divx.exe

Filesize
77KB

MD5
1cda52ed2a59784a5983b301463596d8

SHA1
281c74daa0223bfcaedb314b0a04664ba30daabd

SHA256
c2213a24b49bd1dcce0e12a21157395934fd53e060a01ca602c4fbe41358dd91

SHA512
85476ecc8051fd9ae3e94edf2a7e7f29f3af02373425da54cfb132b9fc7beb724583c582fed648c0f72807e2a54a0dfe7cb10cbd52a67b01eebb7cc89575ddfd

Download Submit
memory/2512-3-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2512-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads