1e55dcbbd1df7847f3c9976d253a8f4f1ce41c3360999972a862f2732bc6d7e7

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
Size

115KB
MD5

aa0702e763cc10f8186a004516e6016a
SHA1

07a6a7f0c8a7600e41d0bf6b600ea19dec3f03ee
SHA256

1e55dcbbd1df7847f3c9976d253a8f4f1ce41c3360999972a862f2732bc6d7e7
SHA512

849fa4a1443789fa52c207b0da1cf8d3e377b58dbcd8c82bdc295453b43b5c5a7e7d6203affc2ea9f94590c6f05905867b01fe5525ac9790431275f105ce5458
SSDEEP

3072:k/c4gMtfcnz2FHIOwWD0Dv73/QhxTo9houtD:k/cwqnz8PwWD0Dz+ohoS

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2200	conime.exe

Executes dropped EXE 2 IoCs

pid	Process
2200	conime.exe
2572	conime.exe

Loads dropped DLL 2 IoCs

pid	Process
816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/816-0-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/files/0x0009000000018bb8-24.dat	upx
behavioral1/files/0x0007000000018c16-31.dat	upx
behavioral1/memory/2200-39-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/816-38-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-44-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-46-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-47-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-48-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-49-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-50-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-51-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-52-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-53-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-54-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-55-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-56-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-57-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-58-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-59-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-60-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-61-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-62-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-63-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-64-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-65-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-66-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-67-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-68-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-69-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-70-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-71-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-73-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2200-74-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2572-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\1.bat	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
File created	C:\Windows\`.bat	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
File created	C:\Windows\2.ini	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conime.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
2200	conime.exe
2200	conime.exe
2200	conime.exe
2200	conime.exe
2200	conime.exe
2200	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe
2572	conime.exe
2572	conime.exe
2200	conime.exe
2200	conime.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1240	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	31
PID 816 wrote to memory of 1240	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	31
PID 816 wrote to memory of 1240	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	31
PID 816 wrote to memory of 1240	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	31
PID 816 wrote to memory of 1860	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	33
PID 816 wrote to memory of 1860	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	33
PID 816 wrote to memory of 1860	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	33
PID 816 wrote to memory of 1860	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	33
PID 816 wrote to memory of 2200	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	35
PID 816 wrote to memory of 2200	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	35
PID 816 wrote to memory of 2200	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	35
PID 816 wrote to memory of 2200	816	aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe	35
PID 2200 wrote to memory of 2572	2200	conime.exe	36
PID 2200 wrote to memory of 2572	2200	conime.exe	36
PID 2200 wrote to memory of 2572	2200	conime.exe	36
PID 2200 wrote to memory of 2572	2200	conime.exe	36

C:\Users\Admin\AppData\Local\Temp\aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa0702e763cc10f8186a004516e6016a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\`.bat" -in"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\ccc\conime.exe
  C:\ccc\conime.exe -self
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\ccc\conime.exe
    C:\ccc\conime.exe -self
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\1.bat

Filesize
482B

MD5
e1dbc0180f475190337e74446cbdac58

SHA1
53bcc5e6c2cf35a2b03f6d37d1b05686d296a064

SHA256
d4d08750e0c22fe69c50da8488af87ce7add0ef8d28a56cfd0753c87a37f7432

SHA512
d71eaf2358c52bb4b288b4a1a52d88b29cdbb610f1219deb452b362b9da1093d7f0ce64bbb07fb5920768133497abb4663eabfab73c56484c64ee124689960c2

Download Submit
C:\Windows\2.ini

Filesize
86B

MD5
7904bc67515b047ec5690d467758783e

SHA1
4a3a2324883c444f77b7b223d60d62847bf02742

SHA256
3bdc362cacba7a69a266f902b450c03d8e0d6a37eabc0e7915978686e3671ae3

SHA512
e5d2d5db300df6a177080cba41da713312337832df135c93a4a5e3b6f329e74b88fe4da67d0b4547bee8b0f92fc73232370d836d680e793b397b9930fc67b83f

Download Submit
C:\Windows\Temp\dfcent

Filesize
28B

MD5
88be6335c8f7ef5987f52cba48725232

SHA1
e433972353f655e332b9d462c15b0b3063a20792

SHA256
a4ff95cc98d9ba5db911947fbad3765ba255f52a4daa395bef0485116965acf2

SHA512
4f823926ed135e6f88f6002658473122352faa00deab529194d11152c5a2f73480e6f10b536e352d4f5720920ce4bf9f07d0ce1a4493fc46a1f6ec3090c80c74

Download Submit
C:\Windows\Temp\tmp\df\ipp.000.tmp

Filesize
24KB

MD5
d1b6da1f8eae4c884c149942f9315d71

SHA1
9c5eff8ea47a21e9380ff3719840a88e2ba5b3bc

SHA256
0faca447933f751466e7a8321af3b4d23e9e51a26677d7c196cb52c4f7d7001c

SHA512
2ab515533fff21587c1fea432e52e18a6addb3dbefdc06bac05b710d5506744171ba13bf45ae93357fc6e398929cd57441402725be0eb9c2a3a676c0beb4eae3

Download Submit
C:\Windows\`.bat

Filesize
60B

MD5
83d1e52896023419d72ee8f91da2cffb

SHA1
e770fb1d5f3db57de0b3e6139f7d80a16a983113

SHA256
29366d1af05aa97500c233d21ec866c25f4ac346896cfd031db70dcf74d1be2c

SHA512
284f12d24d781b25e7c1afef29910d8e5120974c5c7ca8d44482bc8dc588c8673d276f31fd30cee691730dfed8ab059c05891539e8d91f9477513259a0b3679c

Download Submit
C:\ccc\conime.exe

Filesize
115KB

MD5
aa0702e763cc10f8186a004516e6016a

SHA1
07a6a7f0c8a7600e41d0bf6b600ea19dec3f03ee

SHA256
1e55dcbbd1df7847f3c9976d253a8f4f1ce41c3360999972a862f2732bc6d7e7

SHA512
849fa4a1443789fa52c207b0da1cf8d3e377b58dbcd8c82bdc295453b43b5c5a7e7d6203affc2ea9f94590c6f05905867b01fe5525ac9790431275f105ce5458

Download Submit
memory/816-17-0x00000000035B0000-0x00000000035C0000-memory.dmp

Filesize
64KB

Download
memory/816-35-0x00000000035B0000-0x0000000003603000-memory.dmp

Filesize
332KB

Download
memory/816-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/816-34-0x00000000035B0000-0x0000000003603000-memory.dmp

Filesize
332KB

Download
memory/816-38-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-66-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-50-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-68-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-58-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-60-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-63-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-61-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-44-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-59-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-67-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-51-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download