f321a3f6ebbabb7d05a0a2a491c8581dca2d0ecbc3f6c721e3397d0b4813aca8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
Size

3.4MB
MD5

c836e285f7902c417eea1ac21a0bc6f1
SHA1

d974a5f3b522114fdb4573fb843c7deecf95b82e
SHA256

f321a3f6ebbabb7d05a0a2a491c8581dca2d0ecbc3f6c721e3397d0b4813aca8
SHA512

97f067b9e805fd8f749a8877c8a7c59e2a80cda90bdc7fbb53685ec981f4b5b36bdca6654d5065d8082c1a5b433f948f040bc85a51256a346607b78cb9aebf16
SSDEEP

49152:lZhsnB5UB7JGTMlJhZaiHawxybD5N5Mo8UlkZYbLblS8kztc1L2awT+N+LAb7BAa:lZIB5i7xllH8Gr6LblS8fwxTtLK7iob

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
660	DSPTW.exe
4084	DSPTW.exe
3564	DSPTW.exe
3256	DSPTW.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3060-0-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3060-59-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\u:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\S:	DSPTW.exe
File opened (read-only)	\??\V:	DSPTW.exe
File opened (read-only)	\??\V:	DSPTW.exe
File opened (read-only)	\??\N:	DSPTW.exe
File opened (read-only)	\??\T:	DSPTW.exe
File opened (read-only)	\??\h:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\o:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\x:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\Z:	DSPTW.exe
File opened (read-only)	\??\Q:	DSPTW.exe
File opened (read-only)	\??\I:	DSPTW.exe
File opened (read-only)	\??\X:	DSPTW.exe
File opened (read-only)	\??\z:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\G:	DSPTW.exe
File opened (read-only)	\??\M:	DSPTW.exe
File opened (read-only)	\??\D:	DSPTW.exe
File opened (read-only)	\??\V:	DSPTW.exe
File opened (read-only)	\??\Z:	DSPTW.exe
File opened (read-only)	\??\k:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\U:	DSPTW.exe
File opened (read-only)	\??\G:	DSPTW.exe
File opened (read-only)	\??\D:	DSPTW.exe
File opened (read-only)	\??\N:	DSPTW.exe
File opened (read-only)	\??\I:	DSPTW.exe
File opened (read-only)	\??\J:	DSPTW.exe
File opened (read-only)	\??\H:	DSPTW.exe
File opened (read-only)	\??\b:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\w:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\T:	DSPTW.exe
File opened (read-only)	\??\V:	DSPTW.exe
File opened (read-only)	\??\T:	DSPTW.exe
File opened (read-only)	\??\W:	DSPTW.exe
File opened (read-only)	\??\M:	DSPTW.exe
File opened (read-only)	\??\j:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\F:	DSPTW.exe
File opened (read-only)	\??\F:	DSPTW.exe
File opened (read-only)	\??\G:	DSPTW.exe
File opened (read-only)	\??\E:	DSPTW.exe
File opened (read-only)	\??\E:	DSPTW.exe
File opened (read-only)	\??\W:	DSPTW.exe
File opened (read-only)	\??\H:	DSPTW.exe
File opened (read-only)	\??\O:	DSPTW.exe
File opened (read-only)	\??\R:	DSPTW.exe
File opened (read-only)	\??\X:	DSPTW.exe
File opened (read-only)	\??\O:	DSPTW.exe
File opened (read-only)	\??\R:	DSPTW.exe
File opened (read-only)	\??\R:	DSPTW.exe
File opened (read-only)	\??\v:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\P:	DSPTW.exe
File opened (read-only)	\??\Q:	DSPTW.exe
File opened (read-only)	\??\K:	DSPTW.exe
File opened (read-only)	\??\U:	DSPTW.exe
File opened (read-only)	\??\S:	DSPTW.exe
File opened (read-only)	\??\g:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\r:	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
File opened (read-only)	\??\S:	DSPTW.exe
File opened (read-only)	\??\N:	DSPTW.exe
File opened (read-only)	\??\G:	DSPTW.exe
File opened (read-only)	\??\F:	DSPTW.exe
File opened (read-only)	\??\H:	DSPTW.exe
File opened (read-only)	\??\Q:	DSPTW.exe
File opened (read-only)	\??\Y:	DSPTW.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3060-59-0x0000000000400000-0x0000000000490000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DSPTW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1352	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	89
PID 3060 wrote to memory of 1352	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	89
PID 3060 wrote to memory of 1352	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	89
PID 1352 wrote to memory of 660	1352	cmd.exe	91
PID 1352 wrote to memory of 660	1352	cmd.exe	91
PID 1352 wrote to memory of 660	1352	cmd.exe	91
PID 3060 wrote to memory of 1892	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	92
PID 3060 wrote to memory of 1892	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	92
PID 3060 wrote to memory of 1892	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	92
PID 1892 wrote to memory of 4084	1892	cmd.exe	94
PID 1892 wrote to memory of 4084	1892	cmd.exe	94
PID 1892 wrote to memory of 4084	1892	cmd.exe	94
PID 3060 wrote to memory of 4892	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	95
PID 3060 wrote to memory of 4892	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	95
PID 3060 wrote to memory of 4892	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	95
PID 4892 wrote to memory of 3564	4892	cmd.exe	97
PID 4892 wrote to memory of 3564	4892	cmd.exe	97
PID 4892 wrote to memory of 3564	4892	cmd.exe	97
PID 3060 wrote to memory of 4416	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	98
PID 3060 wrote to memory of 4416	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	98
PID 3060 wrote to memory of 4416	3060	c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe	98
PID 4416 wrote to memory of 3256	4416	cmd.exe	100
PID 4416 wrote to memory of 3256	4416	cmd.exe	100
PID 4416 wrote to memory of 3256	4416	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c836e285f7902c417eea1ac21a0bc6f1_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 1 /find:all /ghoststyle >disk.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 1 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 2 /find:all /ghoststyle >>disk.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 2 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 3 /find:all /ghoststyle >>disk.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 3 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 4 /find:all /ghoststyle >>disk.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\DSPTW.exe
    C:\Users\Admin\AppData\Local\Temp\DSPTW.exe 4 /find:all /ghoststyle
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut8752.tmp

Filesize
21KB

MD5
ddcc97fae2ff63173dcb14f23bea747e

SHA1
207accaf077a8f7845a826b7e0d3c11dc0deee8a

SHA256
d391e2ef9afd9152c8bf0458655c883725d9444b3da428fe59eca68170529123

SHA512
5fb1dce12b1781a0edf42e653838ee0c2ec1d70fba845b51f5582f7ca508769e10d24640d17761e537088163e945a3f318251e74870be560b6086a8afab230d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
317B

MD5
4c2352a1bf4c23795127e23b8a480f67

SHA1
e8fae9fc50372bfa790b6445bd9bbc5ba1e29bc2

SHA256
cc0b1a101ef26375a0e759962b7a6ffe00f458519742a4c984b30416b63f6cae

SHA512
f07c3cfc6f8fb864bfc26facf2f4933284a4ae4c1babf797a137b7db578fd24066f2a04f0fd43db5e97fe34e027b0005dd801b9e1d956bb6d648a7b30b5f0728

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
337B

MD5
70cea7fb31515da38952d3e11acb74a6

SHA1
b3947f8d6c3297d635892f727c5dc114d1ea9059

SHA256
746597a223cdf8fea858d0f2424750bfd9932efa271598b445e88116ffbadb35

SHA512
0b8002d419f9412d3e30b5ec2cec21772c5f38763a697f7f677c9734d7783b680d306a489a7631d4cb192a39e461737cc9536415d9b2442f27c69e9176fc484c

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
357B

MD5
8525414b6c84f0ab73c2d22550a3cf50

SHA1
18e1d236b5e6602cd6fa55804c28cfc5f4c8bd35

SHA256
8a361b2e4f0ce1556995d9504976caf32f9517f0a78e8eda9c05a0b5a3a5d6b4

SHA512
d68df01fd5aa498ce95334de59b13589102c7fc8ca29deb679e80d20351fb98b08668a4f9691ba877a0d1277b55bfaae1ab530680ea8149ddfb785d481d2df18

Download Submit
C:\Users\Admin\AppData\Local\Temp\disk.txt

Filesize
377B

MD5
f993b3fee69123e3128f7535b97fd521

SHA1
b9e93db159f740b934b8c1a935a476c1fa77b8bf

SHA256
8d2bdc02887e10ced136a267bfe4d57383775299bbb4b8f787b056b5ae4d26ee

SHA512
6d7ce7f7c432d344b144773aeafdfd4ed2c2cf211ca8457c7284874af389ad0269e5d79d840aaa799b6b9eb919eb10b7d6ef3f220362c3da09a60ded676ac9de

Download Submit
memory/660-25-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/660-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3060-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3060-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3256-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3564-38-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4084-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download