a609027c6f349e9e81026889c69ba1651db9ea24c34958ddccd4edf1978ebfa7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
Size

78KB
MD5

d2223385e5067cbcffee27cdb5a131fc
SHA1

74fe9627edde991ab50186d5f5b4294da8d43b3b
SHA256

a609027c6f349e9e81026889c69ba1651db9ea24c34958ddccd4edf1978ebfa7
SHA512

3754e8a60877d553d144c6fe65c78da9f420c844132f7f8ae107bcf4bdbc3d7ba9c2912fb4e938c5962beed23f8dcd4fd185a8fe8892bb5be845839c39eb5b46
SSDEEP

1536:KPzSYqFJF3/eguGJSNIV9l1NTXQPyjQxJVivVzoK5QRDXOvlvnQIE+F1TcYdR0R:ozSYKb3/74I3NTXQHPVidjQRDXQ51F1Y

Score

7^/10

defense_evasion discovery upx vmprotect

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
1032	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4456-24-0x0000000000400000-0x0000000000424000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00070000000234be-12.dat	vmprotect
behavioral2/memory/4456-20-0x0000000010000000-0x0000000010019000-memory.dmp	vmprotect
behavioral2/memory/1032-27-0x0000000010000000-0x0000000010019000-memory.dmp	vmprotect

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zyabcd2.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zyabcd3.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zyabcd4.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zyabcd5.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zyabcd.cfg	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zyabcd1.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zyabcd2.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zyabcd3.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zyabcd4.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zyabcd5.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uxmtoakej.dll	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zyabcd1.dat	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\dnf\uxmtoakej.dll	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
656	Process not Found
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
656	Process not Found
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
656	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 1032	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe	86
PID 4456 wrote to memory of 1032	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe	86
PID 4456 wrote to memory of 1032	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe	86
PID 4456 wrote to memory of 184	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe	87
PID 4456 wrote to memory of 184	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe	87
PID 4456 wrote to memory of 184	4456	d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2223385e5067cbcffee27cdb5a131fc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe c:\Progra~1\dnf\uxmtoakej.dll Start
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D22233~1.EXE
  2⤵
  - System Location Discovery: System Language Discovery
  PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\uxmtoakej.dll

Filesize
92KB

MD5
e05adfc98adb02be3c057cb7464c12d8

SHA1
c1a4ba2c0d4b3aa3f0edcee547ba9761ae08874a

SHA256
c9a520ae753caf817ddcb913d3ed558288c2ea8a18874c2fcd872a992a6cfa97

SHA512
66032553ea3a1bde68956cc2b3be44de9d9d7d7c241b1a9c1e19744b965c0e9d41f85066d92fcb0d6a9642f5483560c67eb8dae88b5e2eb674e3a3f5855d412a

Download Submit
memory/1032-27-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4456-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4456-14-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4456-17-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4456-20-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4456-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download