a13b5b7fd3eaaef62ce470217b12d56da50c5c56cb36c93f75a089e3e0fd85dd

Analysis

max time kernel
150s
max time network
31s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

970238efcd912d26261bbbf976638d98_JaffaCakes118.exe
Size

376KB
MD5

970238efcd912d26261bbbf976638d98
SHA1

5f4b470e46f656e698dcc6c8b96683aa817b29cc
SHA256

a13b5b7fd3eaaef62ce470217b12d56da50c5c56cb36c93f75a089e3e0fd85dd
SHA512

0be997aea5eea4dc9af843d7520941d13ac8bfa4d8a0a58f3c3169ff66a381238f1d21d32accedd31010ae87c25782ea380713fa533d3d6cd5bf69b77136427a
SSDEEP

6144:2Cf96BO50qlZYP+AC9SJfZzNyeahyLu8Qa6pd9kxVLp+voS:f96M50EY+/9S9ZEewyLu9a09o+oS

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2872	kG07601NnIcP07601.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	kG07601NnIcP07601.exe

Loads dropped DLL 1 IoCs

pid	Process
448	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/448-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/448-5-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/files/0x0008000000016d14-12.dat	upx
behavioral1/memory/448-16-0x00000000029E0000-0x0000000002AAD000-memory.dmp	upx
behavioral1/memory/2872-17-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/448-19-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2872-26-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/448-20-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/memory/2872-30-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2872-39-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kG07601NnIcP07601 = "C:\\ProgramData\\kG07601NnIcP07601\\kG07601NnIcP07601.exe"	kG07601NnIcP07601.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kG07601NnIcP07601.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	kG07601NnIcP07601.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe
Token: SeDebugPrivilege	2872	kG07601NnIcP07601.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2872	kG07601NnIcP07601.exe
2872	kG07601NnIcP07601.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2872	448	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe	29
PID 448 wrote to memory of 2872	448	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe	29
PID 448 wrote to memory of 2872	448	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe	29
PID 448 wrote to memory of 2872	448	970238efcd912d26261bbbf976638d98_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\970238efcd912d26261bbbf976638d98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\970238efcd912d26261bbbf976638d98_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\ProgramData\kG07601NnIcP07601\kG07601NnIcP07601.exe
  "C:\ProgramData\kG07601NnIcP07601\kG07601NnIcP07601.exe" "C:\Users\Admin\AppData\Local\Temp\970238efcd912d26261bbbf976638d98_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kG07601NnIcP07601\kG07601NnIcP07601

Filesize
192B

MD5
9173b0d0b94d4578aea232094ca564de

SHA1
0f8028bc6c9ac4f6b511e2f39f083a19f5be9a39

SHA256
966e2ac768b581930ebc6079459edd38d02165be043aeb709017834ca15a3c00

SHA512
a75c511df0c75b047cc02d70f0452959d106fb6a7edf06996d5995319bd32a57866371afd462eda4806ec69b330b5fcbf1cc82a21ec24b0d40ae769ce590085f

Download Submit
\ProgramData\kG07601NnIcP07601\kG07601NnIcP07601.exe

Filesize
376KB

MD5
d23b506385dccaa877b87358e94cb972

SHA1
af81814fc76fd4337d321b55a36384f228b6bdef

SHA256
561a0e27067cca0c5530bbd6056fcc72b6a8d13b57a9f895631e89835b8e0c4c

SHA512
99cf225f25f3b7413545eb880acfffb69c6158b905f7623088bf56b3b97172628d9e4e747fe52044ea90e364c1b8e2363ac9da2bd23c0802dcc70dd738a74ff0

Download Submit
memory/448-5-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/448-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/448-2-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/448-16-0x00000000029E0000-0x0000000002AAD000-memory.dmp

Filesize
820KB

Download
memory/448-19-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/448-1-0x0000000001DD0000-0x0000000001E75000-memory.dmp

Filesize
660KB

Download
memory/448-20-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2872-17-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2872-26-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2872-30-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2872-39-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download