a34f7e418147fcc13c5a9a9fe6e222b365c3c483f54626a31cb576f574a26fb6

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe
Size

443KB
MD5

a8eb04be6c829737c622632a1839396f
SHA1

f239934b1a920fa39a4d8b8dadc30801ad275c64
SHA256

a34f7e418147fcc13c5a9a9fe6e222b365c3c483f54626a31cb576f574a26fb6
SHA512

212ddff16bd718fa22c33e9c68ce7d4bdb5e69db348416d17c560b9c03eb3f77688afa73c7f1b69f1386953b5e24c8d92deb6faa7f59108cf634470b3afda5b4
SSDEEP

6144:ueW0FbGzEPsdksJ2hyY4jfQXwwhZ7HxCGpJv5U0jfpi13EJ6iymz/wGvktiuY/Y:tFWkhsghyLfQgwsuLjf43EKmc0kf

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	pE01831BpJkC01831.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	pE01831BpJkC01831.exe

Loads dropped DLL 2 IoCs

pid	Process
852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe
852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/852-2-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/852-20-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/memory/852-19-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2820-31-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2820-41-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pE01831BpJkC01831 = "C:\\ProgramData\\pE01831BpJkC01831\\pE01831BpJkC01831.exe"	pE01831BpJkC01831.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pE01831BpJkC01831.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	pE01831BpJkC01831.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	pE01831BpJkC01831.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	pE01831BpJkC01831.exe
2820	pE01831BpJkC01831.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2820	852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe	31
PID 852 wrote to memory of 2820	852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe	31
PID 852 wrote to memory of 2820	852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe	31
PID 852 wrote to memory of 2820	852	a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\ProgramData\pE01831BpJkC01831\pE01831BpJkC01831.exe
  "C:\ProgramData\pE01831BpJkC01831\pE01831BpJkC01831.exe" "C:\Users\Admin\AppData\Local\Temp\a8eb04be6c829737c622632a1839396f_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pE01831BpJkC01831\pE01831BpJkC01831

Filesize
192B

MD5
4178595edf0f8f50097cf3c1ab99285e

SHA1
87f53f6932559f3a239e7e7e18ee4b2e16a71c20

SHA256
15029d41884ace8ac8b3690141d5dbea60b07ea7f2be38bcdb683fd58026a1af

SHA512
f1cd4f0a607baaaa726c7acf5761b21a9db69c104b571f6c7d5dd7465a484013839b96f73ec17b600b6e4c20fc89e77406508516dab71c8715bbd092161aecfa

Download Submit
\ProgramData\pE01831BpJkC01831\pE01831BpJkC01831.exe

Filesize
443KB

MD5
a18ff40f5fa9526471be656c026bbf3a

SHA1
7ffa3c283a9d19ec9a1977aebe87abf26ba21bc8

SHA256
ea546dfef4e50da22ba4b6222df940429e73b6c99d0688b99d3e8132259d9a47

SHA512
4b3c695784eaa1594c13411a014d4753914c98c95102d32cca9f8c7d72fae6db759e6c43112b4310be083a0b61bd9bc26244d2b693ad6bf638bc4f9c97da8665

Download Submit
memory/852-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/852-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/852-20-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/852-19-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2820-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2820-31-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2820-41-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download