870489ab9d127826e36919978c7fd80ca85dffd955562e6e38b095234445082f

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe
Size

1.1MB
MD5

bcccec78cfc1a43e998fb318df2a3043
SHA1

7b2f07507da3191b5b6feabe82b2feca3a38bb37
SHA256

870489ab9d127826e36919978c7fd80ca85dffd955562e6e38b095234445082f
SHA512

18ba5362ea0bc605f6fe4629619d0848afeb22eb7424ace28285e8ac3e0ede172571e923ca9e8f3bf103ef235b452f0ae6952500150fff502b4ae213d5eddf4f
SSDEEP

24576:iFszWS5ZfmLljbzQnDB+7BssNW5oIrqQFWrVMwNOiBxouj9D3:iW0lDKDB+7BsQKqyWrVMwXqU1

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a0000000120f1-5.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2784	msets.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe
1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctmfom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msets.exe"	msets.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msets.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe
2784	msets.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2784	msets.exe
2784	msets.exe
2784	msets.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2784	1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2784	1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2784	1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2784	1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2784	1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2784	1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2784	1848	bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bcccec78cfc1a43e998fb318df2a3043_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\msets.exe
  "C:\Users\Admin\AppData\Local\Temp\msets.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\msets.exe

Filesize
762KB

MD5
0aeab8f910dda47a3aed6652f9a1cfdf

SHA1
5b8024fdb3e7187f8253f41f7be479356b655ab5

SHA256
805a756c8dc926ad37d27282a3abb595fe6ca7e51354e956489944e9396fed65

SHA512
9e3d7c30a23f04a05d4f52bfbd7832bbeaed37db2b236486953aa50d37642c11fc59938a46ecf8b9467f950d281ea5fc848ef70a4fb223698fcb9b06ba14b2b0

Download Submit
memory/1848-12-0x0000000003810000-0x00000000039A3000-memory.dmp

Filesize
1.6MB

Download
memory/2784-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-13-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-16-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-14-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2784-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-22-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2784-23-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-28-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-32-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-36-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2784-37-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads