b99c99970776a13ee9ab83ece88c016fb7cbab6cd90a183147a80c01049087eb

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a647baecccdedab48869a55739bab857_JaffaCakes118.exe
Size

616KB
MD5

a647baecccdedab48869a55739bab857
SHA1

8e1b263df2b461a7d7613a6437d6e80673a4ebce
SHA256

b99c99970776a13ee9ab83ece88c016fb7cbab6cd90a183147a80c01049087eb
SHA512

5b6e96d4ca9e4c0870bf44182112cd6a4f95d57bf5cc075f89dbadd40fdf6cd91db408b1e9b0e10f510ad97db651c1033d61b259262158c94e45b86c0073acf5
SSDEEP

6144:7FeAQzmY4f+6qlTVzKb03lO8aqPZH8Faau/WnFPHWhI4jXwAJam0ucBMioTgrqbq:XJmzwr6CWWBoI9KsbO

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4500	Rhibaa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/368-0-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral2/files/0x000b0000000233d9-10.dat	upx
behavioral2/memory/4500-11-0x0000000000400000-0x000000000049C000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Rhibaa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Rhibaa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	a647baecccdedab48869a55739bab857_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	a647baecccdedab48869a55739bab857_JaffaCakes118.exe
File created	C:\Windows\Rhibaa.exe	a647baecccdedab48869a55739bab857_JaffaCakes118.exe
File opened for modification	C:\Windows\Rhibaa.exe	a647baecccdedab48869a55739bab857_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
17572	4500	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a647baecccdedab48869a55739bab857_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rhibaa.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	Rhibaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe
4500	Rhibaa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
368	a647baecccdedab48869a55739bab857_JaffaCakes118.exe
4500	Rhibaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 4500	368	a647baecccdedab48869a55739bab857_JaffaCakes118.exe	89
PID 368 wrote to memory of 4500	368	a647baecccdedab48869a55739bab857_JaffaCakes118.exe	89
PID 368 wrote to memory of 4500	368	a647baecccdedab48869a55739bab857_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\a647baecccdedab48869a55739bab857_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a647baecccdedab48869a55739bab857_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\Rhibaa.exe
  C:\Windows\Rhibaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 920
    3⤵
    - Program crash
    PID:17572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4500 -ip 4500
1⤵
PID:16568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Rhibaa.exe

Filesize
616KB

MD5
a647baecccdedab48869a55739bab857

SHA1
8e1b263df2b461a7d7613a6437d6e80673a4ebce

SHA256
b99c99970776a13ee9ab83ece88c016fb7cbab6cd90a183147a80c01049087eb

SHA512
5b6e96d4ca9e4c0870bf44182112cd6a4f95d57bf5cc075f89dbadd40fdf6cd91db408b1e9b0e10f510ad97db651c1033d61b259262158c94e45b86c0073acf5

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
390B

MD5
c684d296dd61f2d19c9cf844241d14a8

SHA1
31b5372fca05af95ed647999ac9bee72c599ee84

SHA256
7c1f72757810d89bc8ecd7348abce7d8a1f66316027a1efc5a91e75e08a39de2

SHA512
0b731e5d01d40ea26985cc667d0ddc383388daa723ddf0ceaae7ce7ee28335eb29998783e738f0ce1a2e9c3a5aedecdd8104179da8aa5bf9ac8f227094cd689b

Download Submit
memory/368-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/368-1-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/368-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/368-2730-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/368-99861-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4500-11-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4500-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4500-99862-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4500-99866-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download