0bbc78086bcf144e92f0aa8643d640883a80e63264877e4acf9c388534f41aad

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe
Size

20KB
MD5

cfaee561fdca93f62dbb8a27967f0938
SHA1

8734f30cccd3f873ad49e86ce183d598f6df0ed6
SHA256

0bbc78086bcf144e92f0aa8643d640883a80e63264877e4acf9c388534f41aad
SHA512

51f97dbbe57aacfc93551fecab3251733ddd60b51de543291172e070a43fbd7951b9a2024ea77561e5faee66e7ded40bbbb4244f723cf42e5fbc8de2a3dd5e32
SSDEEP

384:yCD+UJ98fWL/dJ3XZQchddemqqfPYisd1Ni2C2tj/wWQWjsmz86pS:iUJOOL/dVXZQMdem/fgis3NM2dRQWf8s

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/828-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/828-13-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2520	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	31
PID 828 wrote to memory of 2520	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	31
PID 828 wrote to memory of 2520	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	31
PID 828 wrote to memory of 2520	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	31
PID 828 wrote to memory of 2676	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	32
PID 828 wrote to memory of 2676	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	32
PID 828 wrote to memory of 2676	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	32
PID 828 wrote to memory of 2676	828	cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfaee561fdca93f62dbb8a27967f0938_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259452080.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259452080.bat

Filesize
269B

MD5
9e7ce4844044c14ead6ead8cd97fd318

SHA1
dced2d86bb4acde038ef4b0bfff25d5c0577ef99

SHA256
1a83bc87c9e07d2ddb2f55cc2aadd9db02b03b9ad85313cd9674056f26326659

SHA512
276fca3347e1b49fea7f4535b55162f12f25989c5c50b05a79c230500075b9a9ec05696c22aa7d0e4df702d0dd8bdfca0b8123be9c57dd6b867b5599dfca6a08

Download Submit
\Users\Admin\AppData\Local\Temp\dll36.dll

Filesize
33KB

MD5
23bde3e162363d9de3cf80d83c620723

SHA1
3dbdd9f27aa6309e98ada826bf9fbf2e5c282eb9

SHA256
9f031b6922786eb99317c951e6b7cdb3c6b04af332722b686d85e5b636e69191

SHA512
c07fc9afaaa885e5e7bbc83fbe52a40d7060c64d264173fa0cab638a7634c137500d9f34e6c71ce2611c719cef094c663b267ccdd84e43a5a0c90cee2bee7680

Download Submit
memory/828-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/828-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download