fa1091da65d31a1d6765f7e571cf21113f1a35e9042e14f630d11fb8789b2428

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe
Size

236KB
MD5

a0ffa92f27e5d2c3d076b57b494d9df6
SHA1

3cd55bfb1f678c5e3d6bdf2a51d7797540150fa5
SHA256

fa1091da65d31a1d6765f7e571cf21113f1a35e9042e14f630d11fb8789b2428
SHA512

cd59b26e556deaa4534d91290d976adf53553bc04a58c2828bda485a14bd5313a22f738cec9b9c6257665e10410689886ad52242c3ce0fc71738a2d36bb811d3
SSDEEP

6144:3YcOfQqdbm/R2NCIWV17fpgKUj5zKBmE3BFxrfc9wA:3YU1/RkCIWBgKadKIE3BTcR

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	unpps.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe
2160	unpps.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2580-4-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral1/files/0x000600000001938e-13.dat	upx
behavioral1/memory/2580-23-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral1/memory/2160-24-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral1/memory/2160-35-0x0000000000400000-0x000000000053D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpps.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2160	2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2160	2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2160	2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2160	2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2160	2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2160	2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2160	2580	a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0ffa92f27e5d2c3d076b57b494d9df6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\PPStream\unpps.exe
  C:\Users\Admin\AppData\Roaming\PPStream\unpps.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PPStream\unpps.ini

Filesize
57B

MD5
c0d17613b943c927aeb5caaaf3f55b2e

SHA1
d61365705962a0b80737743a758d0fcb99473d46

SHA256
a0638ce50e7d5b5b732266cd5357f48cb8727eb59286e5383ebd43367e11aab3

SHA512
8b6a23e12a304bd9f953bf4846fb60ce386ddf2f47eb9a004876fca5e8603aa5e33056922987b0a9c52c31a4f8131a30e727b4cdecde24d3794654ac6bc524ff

Download Submit
\Users\Admin\AppData\Local\Temp\nstAEE7.tmp\System.dll

Filesize
16KB

MD5
cacd0d325afd1ec48d9e9e7807ebffdb

SHA1
e97c5e3d3f5c10b27b44333e7afff3f7729e84f0

SHA256
0ff3f19054af91058b558f875f5ac31ae965adf66a54eb618657bf03e9a8abcf

SHA512
e742e904873b5a9ffed50245acb9f5a6d35eb510474397b33bc96c47ba3f27249069614098011bfc3395b7f7126dc8c74a109820d5c1522ac62519efdc4fe2c7

Download Submit
\Users\Admin\AppData\Roaming\PPStream\unpps.exe

Filesize
203KB

MD5
04e4fd8002ec508577da3f04de9406f3

SHA1
b17b920467f0504abac89fb97eb315bbc355d746

SHA256
3e4f945957feffc4d1456edf86114f91388b99da33bea76233c5371cf87fc60b

SHA512
3c95870c78b0521549ed846c16a351f3aa0828682bf1a12f4e1940b74ac5706075c6fb64fc8e3670f52193a43722b655445530930473cdda6864b569a9b8b7b0

Download Submit
memory/2160-24-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2160-35-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2580-5-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/2580-4-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2580-6-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/2580-23-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2580-22-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download