3364f3a95e490c628061a6dd1563f793530c09355385b60e98ce612ec4ff9e65

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe
Size

487KB
MD5

bde3ecd6f649cee3b7194e8c1599eaa0
SHA1

da2943dcd3e0ef11541b6279d6a24960637c7780
SHA256

3364f3a95e490c628061a6dd1563f793530c09355385b60e98ce612ec4ff9e65
SHA512

30e6179f76f32d94fc54072239cc5246d5ff5084ceca3675baaa5e7e2ad572dc3cf36ee6d7dc93fcdb630f0b6f34c4ac92e0b0cb452ad54d179785727f7005c3
SSDEEP

12288:sICIsF97Db9lh4IdqGo6hxS100veqHnHF4yLFi9oS:3CJP73h4IdqLOi00vDl42i

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2812	bE28258FmBdH28258.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	bE28258FmBdH28258.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/2364-3-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/files/0x0008000000016e1d-12.dat	upx
behavioral1/memory/2812-17-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/2812-26-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/2364-20-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2364-19-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/2364-16-0x0000000002A60000-0x0000000002B31000-memory.dmp	upx
behavioral1/memory/2812-30-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/2812-40-0x0000000000400000-0x00000000004D1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bE28258FmBdH28258 = "C:\\ProgramData\\bE28258FmBdH28258\\bE28258FmBdH28258.exe"	bE28258FmBdH28258.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bE28258FmBdH28258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	bE28258FmBdH28258.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe
Token: SeDebugPrivilege	2812	bE28258FmBdH28258.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	bE28258FmBdH28258.exe
2812	bE28258FmBdH28258.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2812	2364	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2812	2364	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2812	2364	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2812	2364	bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\ProgramData\bE28258FmBdH28258\bE28258FmBdH28258.exe
  "C:\ProgramData\bE28258FmBdH28258\bE28258FmBdH28258.exe" "C:\Users\Admin\AppData\Local\Temp\bde3ecd6f649cee3b7194e8c1599eaa0_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bE28258FmBdH28258\bE28258FmBdH28258

Filesize
192B

MD5
0b87ea58a93c7978fe91a7d2c50d41dd

SHA1
b70589a2891f3d3dcc83b8d800ea06e85c735dc2

SHA256
342493273458a3ba1f49b31f9e194e4d9cff44ce1f7996867719a58d5edd00ee

SHA512
8a4859d8d129be70ba6caaef6aab96cf6815117a36315a36361ebc2a49735bbc535d251ab19d3ba65a717a317f250cb9c2b48cbf529763a1e9cf9648ab9e2a17

Download Submit
\ProgramData\bE28258FmBdH28258\bE28258FmBdH28258.exe

Filesize
487KB

MD5
ab68ffd72cb16e80bc76252a6439edc3

SHA1
e8538a9cb74354b4c2c9792dab54d8fd83a2f132

SHA256
2f081c7c176119387a0aee095129a1254b2d700b6d03b7be767d68ec4f76e99f

SHA512
55210737b84191cc67d8a9975ee762b4fae46e403199391c1a8d3a6eb6907e834e64ef4b9fa7d236380a9900d5b57fb6b58c8d5dbe15c5bacb9039d7cea96fd0

Download Submit
memory/2364-3-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2364-0-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2364-1-0x0000000000250000-0x00000000002F6000-memory.dmp

Filesize
664KB

Download
memory/2364-2-0x0000000000300000-0x0000000000353000-memory.dmp

Filesize
332KB

Download
memory/2364-20-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2364-19-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2364-16-0x0000000002A60000-0x0000000002B31000-memory.dmp

Filesize
836KB

Download
memory/2812-17-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2812-26-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2812-30-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2812-40-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download