78897ff984e369ec464a09ac48cfe5472ac172c1fa9beb50ef99452943161e35

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
Size

21KB
MD5

9623b854b58eda8b758e55833ee598a8
SHA1

8b8779da9c3c5d7058953e0f3728dd67b96fd192
SHA256

78897ff984e369ec464a09ac48cfe5472ac172c1fa9beb50ef99452943161e35
SHA512

d1cad0d36089334d46e3581af37bad931091971aa606cf887243565515b55f9b876a2b5874c077db14bd6e4c8c7bfd687f235ab1cf38527c2e6300ba4ef6c84c
SSDEEP

384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzU7rve7:SCIqdH/k1ZVcT194jp4nG7

Score

7^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1368-0-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-3-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-5-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-7-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-9-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/files/0x000800000002346d-13.dat	upx
behavioral2/memory/1368-86-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-135-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-160-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-234-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-296-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-297-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1368-298-0x0000000000800000-0x000000000080D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Harry Potter.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Winamp 5.0 (en).com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WinRAR.v.3.2.and.key.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\ICQ 4 Lite.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\Harry Potter.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\WinRAR.v.3.2.and.key.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\Kazaa Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\Kazaa Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\Winamp 5.0 (en) Crack.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Winamp 5.0 (en).com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E9784CD5-5A44-4237-9320-11B5AE64D6A2\root\vfs\Windows\assembly\Harry Potter.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Harry Potter.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Winamp 5.0 (en).ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\WinRAR.v.3.2.and.key.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\index.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\index.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E9784CD5-5A44-4237-9320-11B5AE64D6A2\ICQ 4 Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Winamp 5.0 (en).com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\WinRAR.v.3.2.and.key.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\Kazaa Lite.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\Harry Potter.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Winamp 5.0 (en).com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\Harry Potter.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Harry Potter.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\Kazaa Lite.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Kazaa Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Kazaa Lite.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Kazaa Lite.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Winamp 5.0 (en).ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\WinRAR.v.3.2.and.key.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\WinRAR.v.3.2.and.key.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Winamp 5.0 (en).ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\Kazaa Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\index.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\Winamp 5.0 (en) Crack.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Harry Potter.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\Kazaa Lite.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Winamp 5.0 (en).exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\ICQ 4 Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\WinRAR.v.3.2.and.key.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\WinRAR.v.3.2.and.key.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ICQ 4 Lite.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ICQ 4 Lite.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\WinRAR.v.3.2.and.key.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\index.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Harry Potter.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\index.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WinRAR.v.3.2.and.key.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Winamp 5.0 (en).ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\WinRAR.v.3.2.and.key.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Kazaa Lite.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Harry Potter.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Winamp 5.0 (en).ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Kazaa Lite.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\Winamp 5.0 (en) Crack.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\ICQ 4 Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\WinRAR.v.3.2.and.key.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\index.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\index.ShareReactor.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Kazaa Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\Winamp 5.0 (en) Crack.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\Kazaa Lite.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\index.com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\Winamp 5.0 (en).com	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
File created	C:\Windows\lsass.exe	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9623b854b58eda8b758e55833ee598a8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Winamp 5.0 (en).exe

Filesize
21KB

MD5
9623b854b58eda8b758e55833ee598a8

SHA1
8b8779da9c3c5d7058953e0f3728dd67b96fd192

SHA256
78897ff984e369ec464a09ac48cfe5472ac172c1fa9beb50ef99452943161e35

SHA512
d1cad0d36089334d46e3581af37bad931091971aa606cf887243565515b55f9b876a2b5874c077db14bd6e4c8c7bfd687f235ab1cf38527c2e6300ba4ef6c84c

Download Submit
memory/1368-86-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-5-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-7-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-9-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-3-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-0-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-135-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-160-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-234-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-296-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-297-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1368-298-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads