0ec380959d1a89d3293b2900debcf159aad8b91a64ed93bd1337040367b8b123

Analysis

max time kernel
141s
max time network
106s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
Size

184KB
MD5

aff7fed5d0b167308ad264b0dfc5bef6
SHA1

5d51076b18ff195b2ab52bfc73bce70cc614b8ee
SHA256

0ec380959d1a89d3293b2900debcf159aad8b91a64ed93bd1337040367b8b123
SHA512

32b81e431161366d460ab2f8f237fb6266f44c40a4c5671c1b2dfa22be74de47992037aec7493cba365f1458ccae13eaf3254ee0eccb165723f48ce31c3d21ea
SSDEEP

3072:t3CRCTcyuZAAA12vVpeubAUuyyAu9cGLNUfP6B7kOjLzI40O3J5IWxSblN:t3XuZ5A12vTe4uhlWGyfiB7kNiX/s

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2028	rgvahfxMRLOAawMARDEg.exe
1944	ctWLDxHAIYZuIonroMbL.exe
2932	EzWVRpjWRscPrXGQLOgR.exe

Loads dropped DLL 14 IoCs

pid	Process
1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
2932	EzWVRpjWRscPrXGQLOgR.exe
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-0-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/1512-27-0x0000000000400000-0x000000000047A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ycigobed = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mescfcs.dll\",Startup"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctWLDxHAIYZuIonroMbL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EzWVRpjWRscPrXGQLOgR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2028	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2028	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2028	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2028	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	30
PID 1512 wrote to memory of 1944	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	31
PID 1512 wrote to memory of 1944	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	31
PID 1512 wrote to memory of 1944	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	31
PID 1512 wrote to memory of 1944	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2932	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	33
PID 1512 wrote to memory of 2932	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	33
PID 1512 wrote to memory of 2932	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	33
PID 1512 wrote to memory of 2932	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	33
PID 1512 wrote to memory of 2932	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	33
PID 1512 wrote to memory of 2932	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	33
PID 1512 wrote to memory of 2932	1512	aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe	33
PID 1944 wrote to memory of 2968	1944	ctWLDxHAIYZuIonroMbL.exe	32
PID 1944 wrote to memory of 2968	1944	ctWLDxHAIYZuIonroMbL.exe	32
PID 1944 wrote to memory of 2968	1944	ctWLDxHAIYZuIonroMbL.exe	32
PID 1944 wrote to memory of 2968	1944	ctWLDxHAIYZuIonroMbL.exe	32
PID 1944 wrote to memory of 2968	1944	ctWLDxHAIYZuIonroMbL.exe	32
PID 1944 wrote to memory of 2968	1944	ctWLDxHAIYZuIonroMbL.exe	32
PID 1944 wrote to memory of 2968	1944	ctWLDxHAIYZuIonroMbL.exe	32
PID 2968 wrote to memory of 3056	2968	rundll32.exe	34
PID 2968 wrote to memory of 3056	2968	rundll32.exe	34
PID 2968 wrote to memory of 3056	2968	rundll32.exe	34
PID 2968 wrote to memory of 3056	2968	rundll32.exe	34
PID 2968 wrote to memory of 3056	2968	rundll32.exe	34
PID 2968 wrote to memory of 3056	2968	rundll32.exe	34
PID 2968 wrote to memory of 3056	2968	rundll32.exe	34

C:\Users\Admin\AppData\Local\Temp\aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aff7fed5d0b167308ad264b0dfc5bef6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\rgvahfxMRLOAawMARDEg.exe
  C:\Users\Admin\AppData\Local\Temp\rgvahfxMRLOAawMARDEg.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\ctWLDxHAIYZuIonroMbL.exe
  C:\Users\Admin\AppData\Local\Temp\ctWLDxHAIYZuIonroMbL.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mescfcs.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\mescfcs.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3056
- C:\Users\Admin\AppData\Local\Temp\EzWVRpjWRscPrXGQLOgR.exe
  C:\Users\Admin\AppData\Local\Temp\EzWVRpjWRscPrXGQLOgR.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EzWVRpjWRscPrXGQLOgR.exe

Filesize
92KB

MD5
a2d1be32a1c5dfe7767f7f88ef29a4a1

SHA1
933cb9beb566849e8466fb1779844acaf8e5710f

SHA256
80d877df84438bedf1bf62be18e07c3d78be71a916b2dcf67a450bd8dcebf6f8

SHA512
4d2780d7d21ba7c34391792d8da3057ba3e29ed611a87f9fad6c0084a3ba8c96f5c43cf10a87d804639d754dde9cd79ce10b5d31df9ad1d13884496ddcd7c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctWLDxHAIYZuIonroMbL.exe

Filesize
67KB

MD5
0350f4f74e02eac9702e14cc777f6a38

SHA1
83d5603c6496efe7d5f85a620c3c14b0b5e172b5

SHA256
a827aab4967b35976202f25da9bb851a8622ae3c58fef21017564e01a0217a87

SHA512
47ee07a206dd0f91f6f9037bbc690698ad11a3ecfcc3d5ade0b3fdb5a06afd4545b8ca806f6a5bc6624e1e09019b579e2f067638906681ef0fa5b8bd0b5864fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgvahfxMRLOAawMARDEg.exe

Filesize
26KB

MD5
327a81dd19c332ca9ad8db0c9d46d6d6

SHA1
8a6e6b9555f8acdd819200f26e5abaef221d82fd

SHA256
646e06fc58f4b257a9e8633607b7ef85ccfb7ee1a43149fa536127b1540cde80

SHA512
c013def8c68911cfca13cc2cf9c18786195d38147dcf7f1e4107780211b6f503d6815c71413f88d28b8ec108eec308b2e92c9b834accac53bc7e92afab41208d

Download Submit
\Users\Admin\AppData\Local\mescfcs.dll

Filesize
67KB

MD5
62bbd8e688e2fd8e83bc4dcec28ed216

SHA1
07912d2bb93c3a83a00fd0041f8a72d081b9b189

SHA256
22e8da3c59109f5c2fd3303f567cd3d7e8760b6a446c8d7f3e9c5a59ff5d1a25

SHA512
8648b805094f762e8a3b17d57fc2b3f80a2862deb9ca21dfd6ab66712747b4e9efa0e225bba7deac7b00d84198a5f0176af93b7f0a4c632ec6d56e85e23428ca

Download Submit
memory/1512-27-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1512-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1944-29-0x0000000001E20000-0x0000000001E60000-memory.dmp

Filesize
256KB

Download
memory/1944-28-0x0000000001E20000-0x0000000001E60000-memory.dmp

Filesize
256KB

Download
memory/1944-18-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1944-45-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2932-32-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/2932-34-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/2932-42-0x00000000009F0000-0x0000000000A0B000-memory.dmp

Filesize
108KB

Download
memory/2968-39-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2968-40-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2968-43-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2968-44-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2968-46-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2968-41-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2968-55-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2968-57-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3056-58-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download