4eca8a460680129a0b75e86c0f768b4c82bda8f09ab40bce660f32cb9dd09466

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
Size

185KB
MD5

b4fec3c853b6e196bf80432616381762
SHA1

dd04c28ff038fc8e75cc0b88e0214e66896a821b
SHA256

4eca8a460680129a0b75e86c0f768b4c82bda8f09ab40bce660f32cb9dd09466
SHA512

8f9f80ea57291d202fdba57e25aa4123330fc342448f99631e063dba5822b8389f5d72badb65818741b725d86c9d4cd2e237a1ca080db0df0e3a8fb35aa18608
SSDEEP

3072:fFPj3gJKOV3ThWwKiUu7GqCgB8LOqchHzF56tk:fZM93TUwrGbgBzqkFYS

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2316	Tam-REX.exe

Loads dropped DLL 2 IoCs

pid	Process
1016	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
1016	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1016-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1016-32-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\coba.png	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
File created	C:\Windows\Fonts\favicon(2).ico	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
File created	C:\Windows\Fonts\Fitur.txt	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
File created	C:\Windows\Fonts\Tam-REX.exe	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
File created	C:\Windows\Fonts\Tamrex.dll	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
File created	C:\Windows\Fonts\tamrex.fpp	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
File created	C:\Windows\Fonts\9011e7f65634.tmp	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
File created	C:\Windows\Fonts\9011e8f65634.tmp	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tam-REX.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2316	Tam-REX.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2316	1016	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe	31
PID 1016 wrote to memory of 2316	1016	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe	31
PID 1016 wrote to memory of 2316	1016	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe	31
PID 1016 wrote to memory of 2316	1016	b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4fec3c853b6e196bf80432616381762_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\Fonts\Tam-REX.exe
  "C:\Windows\Fonts\Tam-REX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FPCBA8.tmp

Filesize
172B

MD5
97e804f1daadff9c5e96a8d7f8a85bce

SHA1
50835217298446e51f1b5bf353fcdc0155ff8306

SHA256
d73cad1ee93432e9bfcbf79e583ea46759170fe1712a19959a33caa415b2c8b7

SHA512
5c0df876e4ee0ce7af68bac99058d2d9e2465b44dc1f2f994ebed90a1be65169b429511323eafa0c3d8f5111e9ddf2e51a4c498dcbd9250673580b6dd7d75d8b

Download Submit
C:\Windows\Fonts\coba.png

Filesize
32KB

MD5
0647d2da26cadbc3fdea24659988ac97

SHA1
a6f7aae216271585bb3b6ced1175a8ebc860da54

SHA256
4bfa9144baa3360a7ad4fe57963f5abd1f19eaca4124520b33b09f2d70fc492e

SHA512
946e8d78ee2de38bb5ce101a1a5f40c6f6a60b803cc843ae1d1c947a7703a4f0aa6cdc2a175dc32d0c87523d0cafc96e9426d70a843ba1f3b8a2916cb7fda1b8

Download Submit
\Windows\Fonts\Tam-REX.exe

Filesize
52KB

MD5
b5f61378aec288656ab49bfc09a523b0

SHA1
8c336aa7018a9c8e81a16e2b25493cbfdfeb476f

SHA256
2c6f0e56578f6ad11d796875878a865073034b6aa0ced815f7660f77f94a5407

SHA512
b2afc698600214d44e36c5a09e34ad6c829030a81facab2c397c90a5ac52b7de05ec67c4da60f91e0783ae0a7fc9bf6229656143fec111817c38cbffe474e318

Download Submit
memory/1016-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1016-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download