f321a3f6ebbabb7d05a0a2a491c8581dca2d0ecbc3f6c721e3397d0b4813aca8

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
Size

3.4MB
MD5

c836e285f7902c417eea1ac21a0bc6f1
SHA1

d974a5f3b522114fdb4573fb843c7deecf95b82e
SHA256

f321a3f6ebbabb7d05a0a2a491c8581dca2d0ecbc3f6c721e3397d0b4813aca8
SHA512

97f067b9e805fd8f749a8877c8a7c59e2a80cda90bdc7fbb53685ec981f4b5b36bdca6654d5065d8082c1a5b433f948f040bc85a51256a346607b78cb9aebf16
SSDEEP

49152:lZhsnB5UB7JGTMlJhZaiHawxybD5N5Mo8UlkZYbLblS8kztc1L2awT+N+LAb7BAa:lZIB5i7xllH8Gr6LblS8fwxTtLK7iob

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2820	DSPTW.exe
3024	DSPTW.exe
2572	DSPTW.exe
1636	DSPTW.exe

Loads dropped DLL 8 IoCs

pid	Process
2156	cmd.exe
2156	cmd.exe
2664	cmd.exe
2664	cmd.exe
2604	cmd.exe
2604	cmd.exe
2964	cmd.exe
2964	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2964-51-0x0000000000160000-0x0000000000173000-memory.dmp	upx
behavioral1/memory/2668-50-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/2668-69-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\s:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\G:	DSPTW.exe
File opened (read-only)	\??\y:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\M:	DSPTW.exe
File opened (read-only)	\??\Y:	DSPTW.exe
File opened (read-only)	\??\P:	DSPTW.exe
File opened (read-only)	\??\L:	DSPTW.exe
File opened (read-only)	\??\P:	DSPTW.exe
File opened (read-only)	\??\Z:	DSPTW.exe
File opened (read-only)	\??\E:	DSPTW.exe
File opened (read-only)	\??\S:	DSPTW.exe
File opened (read-only)	\??\S:	DSPTW.exe
File opened (read-only)	\??\Y:	DSPTW.exe
File opened (read-only)	\??\K:	DSPTW.exe
File opened (read-only)	\??\P:	DSPTW.exe
File opened (read-only)	\??\e:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\R:	DSPTW.exe
File opened (read-only)	\??\R:	DSPTW.exe
File opened (read-only)	\??\D:	DSPTW.exe
File opened (read-only)	\??\u:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\I:	DSPTW.exe
File opened (read-only)	\??\J:	DSPTW.exe
File opened (read-only)	\??\M:	DSPTW.exe
File opened (read-only)	\??\E:	DSPTW.exe
File opened (read-only)	\??\D:	DSPTW.exe
File opened (read-only)	\??\V:	DSPTW.exe
File opened (read-only)	\??\X:	DSPTW.exe
File opened (read-only)	\??\n:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\D:	DSPTW.exe
File opened (read-only)	\??\U:	DSPTW.exe
File opened (read-only)	\??\O:	DSPTW.exe
File opened (read-only)	\??\g:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\F:	DSPTW.exe
File opened (read-only)	\??\W:	DSPTW.exe
File opened (read-only)	\??\x:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\F:	DSPTW.exe
File opened (read-only)	\??\l:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\Y:	DSPTW.exe
File opened (read-only)	\??\p:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\Z:	DSPTW.exe
File opened (read-only)	\??\H:	DSPTW.exe
File opened (read-only)	\??\h:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\J:	DSPTW.exe
File opened (read-only)	\??\W:	DSPTW.exe
File opened (read-only)	\??\b:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\q:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\N:	DSPTW.exe
File opened (read-only)	\??\w:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\U:	DSPTW.exe
File opened (read-only)	\??\K:	DSPTW.exe
File opened (read-only)	\??\O:	DSPTW.exe
File opened (read-only)	\??\Z:	DSPTW.exe
File opened (read-only)	\??\J:	DSPTW.exe
File opened (read-only)	\??\T:	DSPTW.exe
File opened (read-only)	\??\r:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\K:	DSPTW.exe
File opened (read-only)	\??\X:	DSPTW.exe
File opened (read-only)	\??\O:	DSPTW.exe
File opened (read-only)	\??\V:	DSPTW.exe
File opened (read-only)	\??\I:	DSPTW.exe
File opened (read-only)	\??\t:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\T:	DSPTW.exe
File opened (read-only)	\??\N:	DSPTW.exe
File opened (read-only)	\??\X:	DSPTW.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2668-50-0x0000000000400000-0x0000000000490000-memory.dmp	autoit_exe
behavioral1/memory/2668-69-0x0000000000400000-0x0000000000490000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2156	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2156	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2156	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2156	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2820	2156	cmd.exe	33
PID 2156 wrote to memory of 2820	2156	cmd.exe	33
PID 2156 wrote to memory of 2820	2156	cmd.exe	33
PID 2156 wrote to memory of 2820	2156	cmd.exe	33
PID 2668 wrote to memory of 2664	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2664	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2664	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2664	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	34
PID 2664 wrote to memory of 3024	2664	cmd.exe	36
PID 2664 wrote to memory of 3024	2664	cmd.exe	36
PID 2664 wrote to memory of 3024	2664	cmd.exe	36
PID 2664 wrote to memory of 3024	2664	cmd.exe	36
PID 2668 wrote to memory of 2604	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2604	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2604	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2604	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	37
PID 2604 wrote to memory of 2572	2604	cmd.exe	39
PID 2604 wrote to memory of 2572	2604	cmd.exe	39
PID 2604 wrote to memory of 2572	2604	cmd.exe	39
PID 2604 wrote to memory of 2572	2604	cmd.exe	39
PID 2668 wrote to memory of 2964	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	40
PID 2668 wrote to memory of 2964	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	40
PID 2668 wrote to memory of 2964	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	40
PID 2668 wrote to memory of 2964	2668	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	40
PID 2964 wrote to memory of 1636	2964	cmd.exe	42
PID 2964 wrote to memory of 1636	2964	cmd.exe	42
PID 2964 wrote to memory of 1636	2964	cmd.exe	42
PID 2964 wrote to memory of 1636	2964	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 1 /find:all /ghoststyle >disk.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 1 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 2 /find:all /ghoststyle >>disk.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 2 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 3 /find:all /ghoststyle >>disk.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 3 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 4 /find:all /ghoststyle >>disk.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 4 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DSPTW.exe

Filesize
21KB

MD5
ddcc97fae2ff63173dcb14f23bea747e

SHA1
207accaf077a8f7845a826b7e0d3c11dc0deee8a

SHA256
d391e2ef9afd9152c8bf0458655c883725d9444b3da428fe59eca68170529123

SHA512
5fb1dce12b1781a0edf42e653838ee0c2ec1d70fba845b51f5582f7ca508769e10d24640d17761e537088163e945a3f318251e74870be560b6086a8afab230d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
317B

MD5
13ea6284e752d298caf4951e32fa432d

SHA1
3be823fcb6a6123a15c60bf4983a47487477ea83

SHA256
e0fc3e7132b135c0458c2ce0af08507588bd8fd4a32ee6ebc5eba7cf6f29a23c

SHA512
1dac0802dfba72cb8b20660af3a64ed36873456dc0f4f6c54c2e64baad08ae854088c278fcc2c7c9b44c0443c865ae25a6663ee02d96102dc4afdbc41c1ce435

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
337B

MD5
f670905bc60991ad168e33bb83911c4b

SHA1
4855688cf8d6c410e86f8d9e93ba92d62ecaf5e2

SHA256
1f7caf19c0a523d7c305444a7fe83fea242b1477f3058600b78cdc6610356254

SHA512
c09ccbce31e3cf68853e244b2fbb87fcf2c2548ebd14f546ef363153f5765189a95da48e530111b8d01583b1e6222294565841ebdf4dbc6c408b8fe3e3a00bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
357B

MD5
87e689642c91db42a3fd8431c4abf345

SHA1
9b30bf55d6499f26b42fa449f8407d58a3a22b0d

SHA256
a2c6fd5d2d718c5f6dbbd44ba6f4ec11c80063e5b0942099973eaf1cabb6e9af

SHA512
f41920bb7165f23c63822b0a5e8294d4b438288afa983a599c7ea351bfc62ee42071d87d98a8718a318203e6ac72e147795550192f6c111da7c08a0d90a3e84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
377B

MD5
5cf11f8e63ee4aa5d9202d3fe9478c43

SHA1
06add3e461cf98e403dc0701eba09da9e8a863bf

SHA256
190b5d56959514cc95fd173d2027e0bfd8a95a246ca0b03c8bab1d42507e5aaa

SHA512
e4b1ce2efcb65fee4c7ae8ebae8d1f406d7e36ac49f4fd3eadb4308b9a078e2eb9f1f1091298a49188e3d6c0dd146192c7f06d00e6880ece512825d08d782be9

Download Submit
memory/1636-53-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2156-23-0x0000000000280000-0x0000000000293000-memory.dmp

Filesize
76KB

Download
memory/2572-44-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2664-34-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/2664-33-0x00000000000C0000-0x00000000000D3000-memory.dmp

Filesize
76KB

Download
memory/2668-50-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2668-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2668-69-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2820-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-51-0x0000000000160000-0x0000000000173000-memory.dmp

Filesize
76KB

Download
memory/3024-37-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3024-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download