aff31ca763399ff63c870d57ed8c36104ca9907fad8bb3cfcd3719712fb87777

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
Size

396KB
MD5

ab7a9105f1ba1d16ec093e75a806b0c0
SHA1

397aa4261d48c5ab0c46b2564f24e855626fb9f5
SHA256

aff31ca763399ff63c870d57ed8c36104ca9907fad8bb3cfcd3719712fb87777
SHA512

c391b5ec679f92adc78b8a999b3ef2bcffb8830223b17ad5e7f9d4dcb752e05151a6c6fcfef0ecf6dc7f3eb26f950c571ede318d952948bd883b1b5359d04a7d
SSDEEP

12288:C3BrINV/hNoHM4dhE7bJEbmJH+lKkObiGeJ:tZzNEmcv

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2256	oDdMoKn16633.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	oDdMoKn16633.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-2-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2256-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2256-16-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2468-21-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2468-22-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2256-24-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2256-40-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2468-55-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2468-56-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oDdMoKn16633 = "C:\\ProgramData\\oDdMoKn16633\\oDdMoKn16633.exe"	oDdMoKn16633.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oDdMoKn16633.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	oDdMoKn16633.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
2256	oDdMoKn16633.exe
2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
Token: SeDebugPrivilege	2256	oDdMoKn16633.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2256	oDdMoKn16633.exe
2256	oDdMoKn16633.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2256	oDdMoKn16633.exe
2256	oDdMoKn16633.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2256	oDdMoKn16633.exe
2256	oDdMoKn16633.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2256	2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2256	2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2256	2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2256	2468	ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\ProgramData\oDdMoKn16633\oDdMoKn16633.exe
  "C:\ProgramData\oDdMoKn16633\oDdMoKn16633.exe" "C:\Users\Admin\AppData\Local\Temp\ab7a9105f1ba1d16ec093e75a806b0c0_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\oDdMoKn16633\oDdMoKn16633.exe

Filesize
396KB

MD5
c8f596243ceb567ed17fc2e7cd97160f

SHA1
83371505c03a5b6594479c8f9974b44bc215f840

SHA256
1dce94d19dda59ed3351250c112d6745bac8b97b28f658cb9a3c0cee46d0cd68

SHA512
72dee43de82fdc32da5fdf839fee0fa6df4130df48f21d23ff88e5d021633ed380811d971032895a0c5849258dd0bdb732e328e9dd8eeeb59b46c08ccf70e613

Download Submit
memory/2256-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2256-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2256-24-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2256-40-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2468-2-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2468-1-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2468-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2468-22-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2468-55-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2468-56-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download