4a21100cb31462b3a7c5bc42aa9746173f6e93c8930e5a2c489739d84c7cce4f

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
Size

18KB
MD5

86d9e1d4814dd1126b5be87a186d23a7
SHA1

479b1e66c1e977035ef1a3a4088505b98e504391
SHA256

4a21100cb31462b3a7c5bc42aa9746173f6e93c8930e5a2c489739d84c7cce4f
SHA512

37b241385ff34e57f3be6886776aa61e9aad6c1dd9816910aaa26194de504adb00a8c00fb50876d8b9f57072452c51b4869290b7a540874026661e6c6c3b445d
SSDEEP

384:tOgdMyv2BNsjwV0UNu5rR92aZgHkb6NFwHnaNJawcudoD7U8qaD8:tlpcVhAH2T26LwHanbcuyD7UOg

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2176-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2176-14-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddr005.ocx	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\New.dll	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\New.dll	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dsound.dll.240617000	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dsound.dll.240617000	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\1005.ocx	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\1005.ocx	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ddr005.ocx	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	2176	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2176	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
2176	86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86d9e1d4814dd1126b5be87a186d23a7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 380
  2⤵
  - Program crash
  PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2176 -ip 2176
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.data2

Filesize
483KB

MD5
c0a9b9323c93aab9e88404a82ea4b972

SHA1
a1b0f874c9c7420c108a96cef84f9652c5dccc9c

SHA256
7613aadae7224cd760def1d8891531ebe542e155ca334673976995700770d72a

SHA512
fd72873ad6ef3dbd6db43883836cdcbaa050d3d5c4a1a9516ee5ddc486062f76541800ca022f6574776fe931b3e08fcf169e3ef96c808dafbd6b9781951ddb94

Download Submit
memory/2176-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2176-14-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download