cbdb5a1b77829934b1cc7815d719336a8597b7410fe80304ca6144a0dbe38296

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
Size

29KB
MD5

c7fa8e5851c0d57b5f5f430b2eb88855
SHA1

f6a2213e312b42ed26d2e00a46c0a2f948728498
SHA256

cbdb5a1b77829934b1cc7815d719336a8597b7410fe80304ca6144a0dbe38296
SHA512

50705a6bcbcd8b936535ca0473df8f41719c2a1fd8251582123da11f01b7cafffead9321ac4d9a7ee0cf8e308ad096564c929d940f258f0450d80f4fbc730b3e
SSDEEP

768:GXbjK6sXmbfSpcG97rHmghq8LKFbqvj67V/WsCtu0LOJSm:GLjvKOq+GpbhqAQbq7a/Fsu+m3

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1884-0-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1884-9-0x0000000000400000-0x000000000041A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7fa8e5851c0d57b5f5f430b2eb88855_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WowInitcode.dll

Filesize
41KB

MD5
d561e7f3db9d542bdcc9721999aa2b2a

SHA1
710f7da9eb9e1432fd3928a51caa31a356b3f29b

SHA256
215ffaf9ec6bd15cb26711fd8fc0df13261178dd29034ec136d245d05bd7b7c7

SHA512
484135d4b2f07e0513d37449cac1c950d934aa1444a9ba42028751dc1c140bf96bd7952336493581aed51b835c97c0fd92ae79e0a76d7c5226f71f7b6731e43c

Download Submit
memory/1884-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1884-6-0x0000000000AD0000-0x0000000000AE4000-memory.dmp

Filesize
80KB

Download
memory/1884-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1884-10-0x0000000000AD0000-0x0000000000AE4000-memory.dmp

Filesize
80KB

Download