c32e4e4c3f5ab8d667aa1d7016cdc8b6d04aed79b8c1bb15a2ffd6ed4c3d2ed8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
Size

18KB
MD5

8bc95842450b8a3a320ddbb9a7f9343a
SHA1

1f5e7346ba50b3a82cb9eee5fb9f80ca91cc0acb
SHA256

c32e4e4c3f5ab8d667aa1d7016cdc8b6d04aed79b8c1bb15a2ffd6ed4c3d2ed8
SHA512

905de5126ce2688410ccb3afbba12f4ce7c2e404f88daef6329b2da62cb3796c409b5417df1b8a6b2ee206e304174a8f592fcc49df09d808eb814d632dcfb8c0
SSDEEP

384:5DT8mGvQa7hPKALXc3Sca2oByTcRSJGDPntgEoB1D6wJGsmJEa:5DT8mGvQajr9yMtgPD6Pfp

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0031000000016db0-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/files/0x0031000000016db0-5.dat	upx
behavioral1/memory/2660-20-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dsound.dll.dat	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dsound.dll.dat	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dsound.dll.LDPA	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\kb0f771120.csa	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\kb0f771120.csa	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
Token: SeDebugPrivilege	2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
Token: SeDebugPrivilege	2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2572	2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2572	2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2572	2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2572	2660	8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bc95842450b8a3a320ddbb9a7f9343a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tempVidio.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\kb0f771120.csa

Filesize
8KB

MD5
527a9b86d68a1da640dec9498b9c0345

SHA1
351f08a2cad2abc623e64cc06727013421d92f3b

SHA256
1242334ed507b39548bc4c5f442c32a7b3f3ed6fbe3ee23878b61a5d6002ce3d

SHA512
cdf8dc0316d9e9f7cd455a4996d9e398ab2e5d0b20cc437435438ea41393d0cc16820c7470a2f078d2cefdfb4c45c539d79ba22efbd8b0535fd15c19ac19fbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempVidio.bat

Filesize
199B

MD5
3985ec92d8cbe2368b073083790ed9d7

SHA1
2c5e725be388fa04646f77bf82be8b9755609747

SHA256
4a74c1e56622a892af8a216eeaecbb27ae58c3db249d741fee12074eb7df03ba

SHA512
80374a0cab0409bde259e833b469a57ddd292bf68b339767a6b21757e1c1546de1cb33464b719ea2a8182c14325b8d58b5dd4e87b8fbc3aaa650fde63c6116fe

Download Submit
memory/2660-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2660-20-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download