b8125cb79cc9e2b5a7e0de2ff3f30dc6fe991f81930a1c06d244c7fbed9c50bd

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe
Size

725KB
MD5

b20925af7258f4b0e45e93ec3ab17189
SHA1

7dc5abda2ee72fdada6d372c5296b5c3ef43d795
SHA256

b8125cb79cc9e2b5a7e0de2ff3f30dc6fe991f81930a1c06d244c7fbed9c50bd
SHA512

3dbc3ef891d5de4a0b3f3df17836a9b925c97f20d15a6cb304160fcde69dc4e3ac5780680ee8a67affa96ff2e612daed5d350fb252e5299f260956a8b3234d0a
SSDEEP

12288:bDgegqYWhLtWvuP+yv8Sk8tjhAsoBp7Qy80ebxA:bD2qYsgmPPPjhAs0QyrEq

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2460	Pandakiller.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	Pandakiller.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4088-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4088-23-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pandakiller.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2460	Pandakiller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2460	4088	b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe	86
PID 4088 wrote to memory of 2460	4088	b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe	86
PID 4088 wrote to memory of 2460	4088	b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b20925af7258f4b0e45e93ec3ab17189_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pandakiller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pandakiller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVBVM60.DLL

Filesize
1.3MB

MD5
ae596bbdb19aed957980b0f1a79337d5

SHA1
66604409a68561118d3ab2e2c95fee8b0b32e07f

SHA256
febe0707da727755026894fa7f56a68cdfd95bbce513463da6bb34b172592ef7

SHA512
5354552e11167312a3fcf50357884a072b44c0ae0831069dc93e8488a80a5c1f6400fd19f77a7457c550aa8df6aa7d9dfa02d7989fa12e31d57c4e0cf0c309e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pandakiller.exe

Filesize
104KB

MD5
892b90b248d8c3854724466ed449183b

SHA1
de0df582efd913b100abfc5ba8d12ca34bbf67a2

SHA256
059f401dd0f7f4211375a0d5c58c4e3c8893936c77c86388486f221247cdbbc7

SHA512
4cb43c8c6058765e79c121bc22e81fcddc3b736ab8e7bf7a87377843fe698bfe0f15a2f4e75f0485e7ffe2f12651fcfe15ebbdf37e411fb49f3487c98af1b4ec

Download Submit
memory/4088-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4088-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download