efbf50e35527b984051b71b3f666c2fd4bfc6e92cd081887fb194dbcc5b2a51c

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc0f22aa85fb41c1ba9400a425f958db_JaffaCakes118.exe
Size

2.3MB
MD5

bc0f22aa85fb41c1ba9400a425f958db
SHA1

5b8bfb2d7538f589e8159e0b61c3853217edad74
SHA256

efbf50e35527b984051b71b3f666c2fd4bfc6e92cd081887fb194dbcc5b2a51c
SHA512

cdc259f2e6d2b6be6b2dd16038b3b0f1b0902ab6ef3b038e218160fca667407019536e36838eed8532724013f527acbf70109a6b5e0e692b71c6b93772e78585
SSDEEP

49152:Hz8QTWv6ere7uMa81MeaphD76XRLH+al+eDJUjRi4rRvmdAlT:T8Z6eraJFmD25fpDJUjw4NoAlT

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023470-9.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1584	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1584	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc0f22aa85fb41c1ba9400a425f958db_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe
1584	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1584	2240	bc0f22aa85fb41c1ba9400a425f958db_JaffaCakes118.exe	84
PID 2240 wrote to memory of 1584	2240	bc0f22aa85fb41c1ba9400a425f958db_JaffaCakes118.exe	84
PID 2240 wrote to memory of 1584	2240	bc0f22aa85fb41c1ba9400a425f958db_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\bc0f22aa85fb41c1ba9400a425f958db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc0f22aa85fb41c1ba9400a425f958db_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\~esetup\setup.exe
  C:\Users\Admin\AppData\Local\Temp\~esetup\setup.exe setup.dat
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~esetup\krnln.fnr

Filesize
495KB

MD5
28ec1a8141938d390907d5495281bffd

SHA1
cf825f5bec52076aad3f224f9737ff61624c08f4

SHA256
d5114fa35f05e4d5171a918aec27b48874fbcb14184e117be96959bd775fe67e

SHA512
530f43f374f10afe3ae1e89743ccaded2deac3dddfb962464db7e9713cea0438534bb545072264d9a3df2e9b82f9adc2833b7988c559d9af65f9926c713f2695

Download Submit
C:\Users\Admin\AppData\Local\Temp\~esetup\setup.dat

Filesize
2.7MB

MD5
836b62ba41a6411dfdcaa94bcebc386d

SHA1
9816e8a5d027241bf40c218825faccae8d6f4956

SHA256
2e0c11848dd53757d2fc5db86e96d2132edb17236cd09dab11149e20196e6df7

SHA512
18311226bd1672c741076980a789b77877fbb2f7578f46cc6d54b468e4dff2dadea09be6f9ddf11ab696355a9cb3f40ddf22aa2e410cf7478a2f1057df4a8314

Download Submit
C:\Users\Admin\AppData\Local\Temp\~esetup\setup.exe

Filesize
30KB

MD5
7de8a9ce8297ab6194783f768d238f7c

SHA1
e5277e152d1aafbe7593b1cff1cab92ff812054f

SHA256
9599cb4ce9dd8c2260b88f11a47c1e6f44116a14ef57137d63ba551b714c33dc

SHA512
33a933ad6ace71a9539a286df0972fe9047475d7a560e9529d15a407eefc9333c762cf065abc9cb1f981af5511aef1f0127844fe6be0b9eaeadf46fe7fde21e3

Download Submit
memory/1584-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1584-11-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1584-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1584-14-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download