79946e6f4a12cfc15534a9a305604286b9700ae10293b913d071def7ee73a3a4

Analysis

max time kernel
130s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe
Size

167KB
MD5

a06d2d3c1c27206aab7858bc0dba8b25
SHA1

6cb9ecb853ff64e45bbcf71f815d4d1a48d643f7
SHA256

79946e6f4a12cfc15534a9a305604286b9700ae10293b913d071def7ee73a3a4
SHA512

5340089f276695b6e2a81557be907fa0c665e7a77dabb8def814e17869a3b2d86493a9e69e087fca217e31b8999837a2969827f59aae06fa4e5acffea55d5efe
SSDEEP

3072:P55UdQJvAUqsQixbm6tG0gkWAki3Mk2MG0cQS1ctoeYyeRb8CdfWsEFPouuJf9Hk:PYSvtqpixKB0gs8k290A2tovbVd9EFwo

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4604	init.exe
3004	initin.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2184-0-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/files/0x00090000000233c1-5.dat	upx
behavioral2/memory/4604-6-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/4604-8-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/files/0x0008000000023412-10.dat	upx
behavioral2/memory/3004-11-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3004-13-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/2184-15-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2184-18-0x0000000000400000-0x0000000000457000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	init.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	initin.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4604	2184	a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe	84
PID 2184 wrote to memory of 4604	2184	a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe	84
PID 2184 wrote to memory of 4604	2184	a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe	84
PID 2184 wrote to memory of 3004	2184	a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe	85
PID 2184 wrote to memory of 3004	2184	a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe	85
PID 2184 wrote to memory of 3004	2184	a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a06d2d3c1c27206aab7858bc0dba8b25_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\init.exe
  C:\Users\Admin\AppData\Local\Temp\init.exe setup.lo1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4604
- C:\Users\Admin\AppData\Local\Temp\initin.exe
  C:\Users\Admin\AppData\Local\Temp\initin.exe /stext setup.lo2
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\init.exe

Filesize
55KB

MD5
87fae36e0ac93f8aaa45f7d0ee8327cf

SHA1
5a206d743367eca0f7c32d52643909ea1ba8e66b

SHA256
3b8f8b156a9c87c6987e37d01633d2520199a779486ea9e47d22b468fbcd01d3

SHA512
359bd8bcee930e278536786f57e1935eb87e0c17f4128043cb0734ff341989608b14e2d53a3a5cc30f4b082f78997a8ef794b87f9ccc2e45add09a75a6d2d7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\initin.exe

Filesize
29KB

MD5
74a10e2c8853db0ab1d698680d3e05e3

SHA1
ccc6e8b5787580b23c8ca4d8723e13879e8b1be1

SHA256
f9cd2cb3a7f5ac1bc0f539c011dd09bebcf6d3ee3e4ac3c8d3588da89aa7e7b6

SHA512
5c1a3c6dfab521b762fcc31b5d3edbb50e5189beb4f7f2ff8b0de77ca356abe193d0d057681ca78ac19e1f1f9b8c57aca98f187e81db31745209dd114266dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.lo1

Filesize
601B

MD5
f4e95fe4d75a539dbe33ff0dca1b06ec

SHA1
11f7409ad6de5e6e5610b05cf4e8fde3eb7b4314

SHA256
f18b80df2667447b66a4d0e0a613eb2776f659baae26af0f2b2eb411fc3715b8

SHA512
bb9f7b128bcbe46f8f3a5d226ce5ae23ecc50d972ee9743edaf2889bc3cde2cdf9b94c66911e537d1447dfee16856e64dcb71a14e6bf959d89b0141c16a13186

Download Submit
memory/2184-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2184-15-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2184-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3004-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3004-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4604-6-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4604-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download