43b9abbf4fceb5d63f1b17c4ce358a71fb54ec730c01b3b1c3134e732981c3af

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe
Size

18KB
MD5

8c40cffe31d7fb4f2074a7f27e8a9117
SHA1

c107edd20b858eda0f08e3a16ff1ec880860acb6
SHA256

43b9abbf4fceb5d63f1b17c4ce358a71fb54ec730c01b3b1c3134e732981c3af
SHA512

8a68587c66f61757486225b1aa21e1f05f7f8a6aa8acac100767df1c2ce87ac3867572a95e2b0043ce184a1a869cf531926d902778e0ac4f95ffab09281ea2b5
SSDEEP

384:n1PEqwC0GXgoGe8yzwnVBTdYr0/19GppxwrePzgwru+unPy:1srCvgoG7yzw3TdB/1OfHzv6+gy

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3568-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3568-14-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAVMon64 = "C:\\Windows\\NAVMon64.exE"	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NAVMon64.dll	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\NAVMon64.exE	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe
File opened for modification	C:\Windows\NAVMon64.exE	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe
3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe
3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe
3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 3472	3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe	56
PID 3568 wrote to memory of 3472	3568	8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8c40cffe31d7fb4f2074a7f27e8a9117_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NAVMon64.dll

Filesize
26KB

MD5
10c07388c3e11abdc19811972e91b0b4

SHA1
37599b493f0e610109c5d61482025d847ad5d9cc

SHA256
52bc7609ce645384e29dfdbb3e31e6b1995c2ca1099b3104e88b5f96d18a325f

SHA512
3cbafd9961bc1c4fdbec44efe2ea86ae6719cab3e24f4046c603cc497d9008eb3d6563c806ecc9df84804555bbb8c315ec24bcccba9a4a828c6f64012e3b2c36

Download Submit
memory/3472-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/3568-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3568-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3568-13-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/3568-8-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/3568-6-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download