8f1de4913c10dd6406b72eec21ba8960691736fa7040e13fb6d304d65f2daa3c

Analysis

max time kernel
141s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe
Size

255KB
MD5

aa12ec2c1b02a71a231f237a642f6448
SHA1

078e15dd4b985c97949e374320c4429705db9502
SHA256

8f1de4913c10dd6406b72eec21ba8960691736fa7040e13fb6d304d65f2daa3c
SHA512

c3352b55692fd43a8839d23ae9c055f1805c25f0bef90d8b244ee04d3ecc05da99a5d74e78b83e5e9d074b3ae445c81241d6c29d7652f7cb3f06e0f8da6c2e9d
SSDEEP

6144:lhRO19OeTt3cPDSVhwPhZpKC8CDWiRM5MH7/iymF:Y7Oex3crSnIpKiD9MKXmF

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3068	Project1.exe
2412	±ðµãÎÒ14916109.exe
2932	S0UG0U.exe

Loads dropped DLL 5 IoCs

pid	Process
2412	±ðµãÎÒ14916109.exe
2412	±ðµãÎÒ14916109.exe
2932	S0UG0U.exe
2932	S0UG0U.exe
2932	S0UG0U.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d28-15.dat	upx
behavioral1/memory/2412-17-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2932-34-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2412-44-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2932-62-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Project1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	±ðµãÎÒ14916109.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0UG0U.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 3068	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	30
PID 1512 wrote to memory of 3068	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	30
PID 1512 wrote to memory of 3068	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	30
PID 1512 wrote to memory of 3068	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	30
PID 1512 wrote to memory of 3068	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	30
PID 1512 wrote to memory of 3068	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	30
PID 1512 wrote to memory of 3068	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2412	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2412	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2412	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2412	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2412	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2412	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2412	1512	aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe	31
PID 2412 wrote to memory of 2932	2412	±ðµãÎÒ14916109.exe	32
PID 2412 wrote to memory of 2932	2412	±ðµãÎÒ14916109.exe	32
PID 2412 wrote to memory of 2932	2412	±ðµãÎÒ14916109.exe	32
PID 2412 wrote to memory of 2932	2412	±ðµãÎÒ14916109.exe	32
PID 2412 wrote to memory of 2932	2412	±ðµãÎÒ14916109.exe	32
PID 2412 wrote to memory of 2932	2412	±ðµãÎÒ14916109.exe	32
PID 2412 wrote to memory of 2932	2412	±ðµãÎÒ14916109.exe	32
PID 2412 wrote to memory of 2264	2412	±ðµãÎÒ14916109.exe	33
PID 2412 wrote to memory of 2264	2412	±ðµãÎÒ14916109.exe	33
PID 2412 wrote to memory of 2264	2412	±ðµãÎÒ14916109.exe	33
PID 2412 wrote to memory of 2264	2412	±ðµãÎÒ14916109.exe	33
PID 2412 wrote to memory of 2264	2412	±ðµãÎÒ14916109.exe	33
PID 2412 wrote to memory of 2264	2412	±ðµãÎÒ14916109.exe	33
PID 2412 wrote to memory of 2264	2412	±ðµãÎÒ14916109.exe	33
PID 2932 wrote to memory of 2232	2932	S0UG0U.exe	35
PID 2932 wrote to memory of 2232	2932	S0UG0U.exe	35
PID 2932 wrote to memory of 2232	2932	S0UG0U.exe	35
PID 2932 wrote to memory of 2232	2932	S0UG0U.exe	35
PID 2932 wrote to memory of 2232	2932	S0UG0U.exe	35
PID 2932 wrote to memory of 2232	2932	S0UG0U.exe	35
PID 2932 wrote to memory of 2232	2932	S0UG0U.exe	35

C:\Users\Admin\AppData\Local\Temp\aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa12ec2c1b02a71a231f237a642f6448_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Project1.exe
  "C:\Project1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\±ðµãÎÒ14916109.exe
  "C:\±ðµãÎÒ14916109.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe
    C:\Users\Admin\AppData\Local\Temp\S0UG0U.exe arg2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Project1.exe

Filesize
370KB

MD5
1ce150d608363eb591ffb96c1de7b825

SHA1
f187661c8091787bb7278b63c418664a51f9187b

SHA256
3a7c0cbbaf6ce5ce7d9ff85808a8c38d83ab71f728a9e1a84b255fa101ad4f6e

SHA512
276598c8c4f8da138eb64ec935b2a39edbf7e1817c367868586a2d0ec99f76e9cc85af5f47df1a0c5bd47810dc6dca7a63af9cd448fdfda6cf18001735e9b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
105B

MD5
74c5c695811f35aa38c95e01adb53fa1

SHA1
cbf7ee2c097dcc84122a079aaf35fb85325fb7ad

SHA256
caf20132f41942ed3e219a11f5e67b12f96197106bb6ec7777fcdab818caedca

SHA512
13404fdc870528c143b86a544894e1f884485ae5e2f6cffdc7d1ccce3994dee25edf12f4fd1ec8ed2aba2a86e191504223d93acd6bf8fb4a5b5c671caae6a29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
151B

MD5
0c868490208e3557d51b93d55feba643

SHA1
291b2565763664acf8f3d6488283abf8d769fc07

SHA256
2335ff1b9f935070ea7d57a267ec87a7269673c16e8551ec745afafb9bed26f8

SHA512
e3e9108d6bf873c4a6c2847e326399f2f21a436055117ed1d8e8d3a0585b6a7a7647f607c1e5963f18101090d909dedffcdbacecd364a38af0f0e99cc1495455

Download Submit
C:\±ðµãÎÒ14916109.exe

Filesize
35KB

MD5
245360f4ddd4a902d0174c1c64ac9e25

SHA1
a87ea1b325c5714bbfb6184397c14ad27463c180

SHA256
4436979eda09c0408f8ac979305ee475cea1a69b1536fb750a77b272deb6af79

SHA512
96095e02b701b0cf8084d05a56e0ae39574640edca948361ccea1bd95add65ecb1aaa4025575f57ffe360b0228f5bdc2fd33f18c6ce959e7325c4ffdfe4b2067

Download Submit
memory/1512-16-0x0000000002090000-0x00000000020AE000-memory.dmp

Filesize
120KB

Download
memory/1512-11-0x0000000002090000-0x00000000020AE000-memory.dmp

Filesize
120KB

Download
memory/2412-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2412-20-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2412-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2412-19-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2932-36-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2932-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2932-46-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2932-35-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2932-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3068-47-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download