2352126cc36b38679d36f485e72519d8f7775982c0af9c2213f1f15a81065afa

Analysis

max time kernel
148s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 06:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
Size

57KB
MD5

a9fa1aba47f64cada6591b2547ba7b3e
SHA1

0377d2a235675821f891eb3edeb003f044bcd088
SHA256

2352126cc36b38679d36f485e72519d8f7775982c0af9c2213f1f15a81065afa
SHA512

6c0580976d3bb5b7ce813fe6bb292db8c8a14fde13e23ec2031f737a273abb59cd7d56dc7124f22201c3d1ad78f5d2b29d84d000347df4173ddd871d62c3a7f1
SSDEEP

1536:pGhSbwoQjMeo2uteFGYqHcAKtj+SFjGs/mH:pGL2eo5QGYmJ9s/e

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\KPDrv.sys	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 1 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3596-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-14-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-17-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-18-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-19-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-20-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-21-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-24-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-25-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-26-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-31-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-32-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-33-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-34-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3596-37-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\InjectDLL.dll	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3568	3596	a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a9fa1aba47f64cada6591b2547ba7b3e_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Indicator Removal: Clear Persistence
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\KPDrv.sys

Filesize
3KB

MD5
387da3586db8670693ce5b1d856e56d7

SHA1
71f14a9e31bcc6cc060f6635209f22a3a3485155

SHA256
c2715a94d3be61c645c37f3fee6d8243f1c95b1da94bee2e94ea1547481b235c

SHA512
7bcb0fe946091f1718db33a78128d4199041a255c9c72f7eae4865279b6deb3d9ac74f840a6d07f12a15bc3afa0b5a2df351103946bb6755fe4bc28c4d62d5bc

Download Submit
memory/3596-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-31-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-25-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-21-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-26-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-32-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-33-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-34-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download