d99c2c886375d6310ac69d52d2048a58ab8cfc29e9b638aab32420c7f006e768

Analysis

max time kernel
13s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe
Size

116KB
MD5

c22fa8ad719a10ac86d740521056bff1
SHA1

9d0bee70963ff4be9f0119b9b15c6bac000bfe36
SHA256

d99c2c886375d6310ac69d52d2048a58ab8cfc29e9b638aab32420c7f006e768
SHA512

2c7bd47d0483a8bcc8d91ec1f043df1581ec653b7805f76ddf15f3ebf48da8332a76be3edb08c815a2fc68fc7181f7ac04d41cf174106d91b7a9ee7eab010535
SSDEEP

3072:kcPokkziMAI0YstJoViTydo2ii58KYJxtJOgEtEG5nN6:FPoP0YMwiMH58D1OgjG5N

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/2428-3-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2360-7-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 set thread context of 0	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2428	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe	30
PID 2360 wrote to memory of 0	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe
PID 2360 wrote to memory of 0	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe
PID 2360 wrote to memory of 0	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe
PID 2360 wrote to memory of 0	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe
PID 2360 wrote to memory of 0	2360	c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c22fa8ad719a10ac86d740521056bff1_JaffaCakes118.exe"
  2⤵
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2360-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2428-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download