b6ab04611ef5f5262ca25b70fc534b881f96edc1f3fd8970e78dfa19e1fc85ab

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
Size

2.8MB
MD5

cc8b5a30376e83f870559336525cb8bc
SHA1

0bc8ef628007f6c5c2dcfdb69d11fc1e30a127a7
SHA256

b6ab04611ef5f5262ca25b70fc534b881f96edc1f3fd8970e78dfa19e1fc85ab
SHA512

c7f07468ef3555e3ff92459f9f88f19ea137a0ca7a245c1b39db7991e5d8b716e81fdb554ca3d7df66d0e0eec148d6ddf9048e233fa973e5df943c71fa7c5529
SSDEEP

49152:LtfsQ9EC3S+pGz/Jb3H33Z9A63GrzGeLMRStvTM1:1sQVpGz/533386Wr6eLHtw1

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Protection 2011v121.exe

Executes dropped EXE 2 IoCs

pid	Process
1740	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2640-10-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/2640-11-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/2640-21-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/2640-20-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/1740-28-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/1740-37-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/4736-73-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/4736-95-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/4736-106-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/4736-117-0x0000000000400000-0x00000000008EA800-memory.dmp	upx
behavioral2/memory/4736-140-0x0000000000400000-0x00000000008EA800-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XelIBtzPNc1v2n48234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe"	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oA1uvD2on4m5W78234A = "C:\\Users\\Admin\\AppData\\Roaming\\a6dWK7fRLhXjC\\AV Protection 2011v121.exe"	AV Protection 2011v121.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	AV Protection 2011v121.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	AV Protection 2011v121.exe
1740	AV Protection 2011v121.exe
1740	AV Protection 2011v121.exe
1740	AV Protection 2011v121.exe
1740	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1640	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2640	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
1740	AV Protection 2011v121.exe
1740	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe
4736	AV Protection 2011v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 1740	2640	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	87
PID 2640 wrote to memory of 1740	2640	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	87
PID 2640 wrote to memory of 1740	2640	cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe	87
PID 1740 wrote to memory of 4736	1740	AV Protection 2011v121.exe	90
PID 1740 wrote to memory of 4736	1740	AV Protection 2011v121.exe	90
PID 1740 wrote to memory of 4736	1740	AV Protection 2011v121.exe	90

C:\Users\Admin\AppData\Local\Temp\cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\AV Protection 2011v121.exe
  C:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\cc8b5a30376e83f870559336525cb8bc_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Roaming\a6dWK7fRLhXjC\AV Protection 2011v121.exe
    C:\Users\Admin\AppData\Roaming\a6dWK7fRLhXjC\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
612B

MD5
1de8b4f6214baff698766458b8597d57

SHA1
4c0b7a17295d03c24092651e3cd697b0c9a8a7d2

SHA256
df47f77a6901331ef4f469b9c99eecb40c3bcda0a91ffc85e3e57b4d6dedb27f

SHA512
dc2a86cc4115855a158c92ba8a18e60ddcdba440dcb78cea962f11414c19e156df0907e780d66fb85b723bc4a698bd047ef5e5207e9d2a41a98d7fc78f5f3c39

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
b4d1ff54f173894ca7dc94f834114b7b

SHA1
62ae6ed27b215b63fc3a5e7c8c41d7524d17eb4e

SHA256
981373764467b4a11f3e745b339ea95604374425f87efab464023d56ada13ec3

SHA512
a488170b6b01ea14062503afac834c114454c7234820f6b8f694eaaeec27015f742138fbfde07431cbbe5e9edfd2697d94898d2f691ff6401cc6585511b207fc

Download Submit
C:\Windows\SysWOW64\AV Protection 2011v121.exe

Filesize
2.8MB

MD5
cc8b5a30376e83f870559336525cb8bc

SHA1
0bc8ef628007f6c5c2dcfdb69d11fc1e30a127a7

SHA256
b6ab04611ef5f5262ca25b70fc534b881f96edc1f3fd8970e78dfa19e1fc85ab

SHA512
c7f07468ef3555e3ff92459f9f88f19ea137a0ca7a245c1b39db7991e5d8b716e81fdb554ca3d7df66d0e0eec148d6ddf9048e233fa973e5df943c71fa7c5529

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7eab0ddcbf3cec31ec7731b53fdb09d0

SHA1
bd75e8a2e47b1153d901874b4ecaff0c1222d149

SHA256
a0c9a8935e73279c9a1891afdfa494667cad34cf55063ad912c00ef3706cb280

SHA512
aff2f2bfd15f2840e0939b8fd73fea30797394d9fe5d14d02c86df6fe2ee5d28dccdfc3838777b8678c7c8278d3ee286dca219d4344b8782bca52a6dd1e9f4ca

Download Submit
memory/1740-25-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/1740-28-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/1740-37-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2640-10-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2640-6-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2640-20-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2640-21-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2640-11-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2640-8-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/2640-7-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/4736-73-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/4736-95-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/4736-106-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/4736-117-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download
memory/4736-140-0x0000000000400000-0x00000000008EA800-memory.dmp

Filesize
4.9MB

Download