8846316e13f47523397b55996d2fc64039a1d4653f824ea8abe094278f25cfd9

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 15:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe
Size

854KB
MD5

a746ed6ae3e1620528fd188f998bb5e2
SHA1

06b4e3be9d25ad518b94d8418675c807ed5eeb98
SHA256

8846316e13f47523397b55996d2fc64039a1d4653f824ea8abe094278f25cfd9
SHA512

710227ddea817b7f08d75e68b8cb38efcf4aff5c26887f17f3cb159293f75d010a1d882ba61e7b804f0907cbb7a43f86adf79454e0cc4a5f0473c6ad3f4d93d3
SSDEEP

24576:mUWqistszvHyx9PnLTf0D1w1DRfuLoRhF25U+t6A3f:mUUFKNLYw1DJug4uZA3f

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00070000000234d2-24.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	AM-Install.exe

Executes dropped EXE 2 IoCs

pid	Process
224	AM-Install.exe
4332	AM-Install-Extracted.exe

Loads dropped DLL 2 IoCs

pid	Process
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234d1-10.dat	upx
behavioral2/memory/224-11-0x0000000000600000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/224-28-0x0000000000600000-0x00000000006E3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AM-Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AM-Install-Extracted.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe
4332	AM-Install-Extracted.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4332	AM-Install-Extracted.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 3528	3900	a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe	86
PID 3900 wrote to memory of 3528	3900	a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe	86
PID 3900 wrote to memory of 3528	3900	a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe	86
PID 3528 wrote to memory of 224	3528	cmd.exe	89
PID 3528 wrote to memory of 224	3528	cmd.exe	89
PID 3528 wrote to memory of 224	3528	cmd.exe	89
PID 224 wrote to memory of 4332	224	AM-Install.exe	90
PID 224 wrote to memory of 4332	224	AM-Install.exe	90
PID 224 wrote to memory of 4332	224	AM-Install.exe	90

C:\Users\Admin\AppData\Local\Temp\a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a746ed6ae3e1620528fd188f998bb5e2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\AM31318.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\AM-Install.exe
    AM-Install.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\AM-Install-Extracted.exe
      "C:\Users\Admin\AppData\Local\Temp\AM-Install-Extracted.exe" /IPC 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AM-Install-Extracted.exe

Filesize
842KB

MD5
733b322710a46a569bfca28f02b5dd05

SHA1
bc8499a5d45383bcd153a2d586866927215a93c6

SHA256
42a38f55164086c77310f3b2a97f6b744d9ff28aa53606e14e5ed73441879820

SHA512
7827c2287d658afdfa553ef4c40b835bc7eca3af235438889850219f6c31e6576daa4232688c1edf5953506bd7ed389e3b7d763ed2df4dadd53cd9135f467e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AM-Install.exe

Filesize
518KB

MD5
0652433b311df1ac63fc1ea667277b95

SHA1
7eec6d50c8b042c66d62912a79a95932df131e5b

SHA256
5ed356a0532017ae02a219b371f244ca6067b96b73af769168083568ff13220d

SHA512
2e7c1963c29fb858381f72e88763a4d7c4db33f96febaec442eb880c7ada0f7a1b0a0be7ad785dfedca25439828a75b7c4b8e74b3f6060dc2030b4073da2cdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AM31318.bat

Filesize
236B

MD5
10d17ecc51cd806ca7c5c754c2a11ff4

SHA1
6f193dc95e15ff105ea1cfe719e61a71a1deea9a

SHA256
85fec9a089d5927b40c3e2227f4f7f0efed5189b35f1a4b88b360e58f47f4a82

SHA512
6066bce5e3c4ac41c8caa8c28291c33863981864a42108a73c8812b65e7151f1cda9eec42ce987f53def52e971133ea663708af3aa65b15949587bc269203d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AM31318.fre

Filesize
179KB

MD5
f8a7b5a888052ec14683a6055972a5bc

SHA1
5a66eb0b7d9faf8a30925cbef5e58f29461954e6

SHA256
e129014b44f57438b24f63dd615ba2eebe78181a208df7e476b54f1674597829

SHA512
fc2e3a2baff41caa6b7e49e04032c36dbdd82fba5932be78dc4f48c3e4461a447e9babbdf76c6a496cdcee545a855d48aae300fc68171488960d12a5da88955b

Download Submit
memory/224-11-0x0000000000600000-0x00000000006E3000-memory.dmp

Filesize
908KB

Download
memory/224-28-0x0000000000600000-0x00000000006E3000-memory.dmp

Filesize
908KB

Download
memory/4332-27-0x0000000000890000-0x00000000008D0000-memory.dmp

Filesize
256KB

Download