b91b7c47d4cb0269d816c72e875ff2a2978776c1a90f0d1a6143fdf16068562d

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe
Size

596KB
MD5

da5e02a40ca65a850771fbac3637ea65
SHA1

c5be57d04ca54e09adbe6068f10da4ada79482b5
SHA256

b91b7c47d4cb0269d816c72e875ff2a2978776c1a90f0d1a6143fdf16068562d
SHA512

c0dd56873844d86148efe655256635864e8be7144d6993553d6f89be36fe8e8f9186e3738b8096eda4a8c8177a83903cbdc90284d16bd14adec00cf87894b77f
SSDEEP

12288:PKfOyy65vkNRrwvQFmqUBX1KZTY1bOB1f4KfTKk+9UqGJ+e5PHtHT7jDLG:yq62UIFmJhoao4KOk+lGJzxT7jG

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1724	A.exe
1316	y666..exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012102-7.dat	upx
behavioral1/memory/1724-10-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1724-19-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	y666..exe
File opened (read-only)	\??\F:	y666..exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\A.exe	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe
File created	C:\Windows\Ÿêí¢_ Ÿé¬...3gp	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe
File created	C:\Windows\y666..exe	A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y666..exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2136	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2136	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2136	vlc.exe
Token: SeIncBasePriorityPrivilege	2136	vlc.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe
2136	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1316	y666..exe
2136	vlc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1724	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	30
PID 2560 wrote to memory of 1724	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	30
PID 2560 wrote to memory of 1724	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	30
PID 2560 wrote to memory of 1724	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2136	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2136	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2136	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2136	2560	da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe	31
PID 1724 wrote to memory of 1316	1724	A.exe	32
PID 1724 wrote to memory of 1316	1724	A.exe	32
PID 1724 wrote to memory of 1316	1724	A.exe	32
PID 1724 wrote to memory of 1316	1724	A.exe	32

C:\Users\Admin\AppData\Local\Temp\da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da5e02a40ca65a850771fbac3637ea65_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\A.exe
  "C:\Windows\A.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\y666..exe
    "C:\Windows\y666..exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1316
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\Ÿêí¢_ Ÿé¬...3gp"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\A.exe

Filesize
208KB

MD5
7316f87097e132b37abd0545cc92e580

SHA1
8dcbc9c931e4e14105229a8737e7a822acdc6649

SHA256
158c07f7f64463c596b524ead388d9d404959cff16502eb31f0687be9185bfaf

SHA512
ab4defc28a1364ec949b700ef57331f30de78145fc7549993c49374c270d609f2803a308eba957e22458ab35bdecae52c8ab1acf00b5f52717ebc0cb6ea69b73

Download Submit
C:\Windows\y666..exe

Filesize
343KB

MD5
081122ed0211ab566a07acbf6712f5db

SHA1
1d28ec2963c2801bc5d9667693e1d3edfbcfba26

SHA256
600192c1efc9de9ddf90cc945841b1a66baad502ea5f027bd293a1bf35505bf7

SHA512
e1e198a8c447396461cca575214365e78b575c966dc8196e3d90d5513f2a00e1be4ff62192e19ea3d2ce731bc2f88b96d9a01f8b3cd4f2b78171b8d100a6fd01

Download Submit
C:\Windows\Ÿêí¢_ Ÿé¬...3gp

Filesize
370KB

MD5
942a979612d09038baec65e04cedd42d

SHA1
4d856a9704ee9f7d8d34ba4c345a4df4077500e6

SHA256
dff0bcb7cff46a003ca02a823173430d0d1dadca379424a48e7a735ceb9093e6

SHA512
d8434a59f44f169c4fb3ea6c1b07ab87fa504e9b09f08470446cc5c29223536770df66828230c5d287c9e50614f689cf3a174a10fc20d1cf6ed24ed768678bc1

Download Submit
memory/1724-10-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1724-19-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2136-40-0x000007FEF4600000-0x000007FEF480B000-memory.dmp

Filesize
2.0MB

Download
memory/2136-35-0x000007FEF6B30000-0x000007FEF6B47000-memory.dmp

Filesize
92KB

Download
memory/2136-29-0x000000013F6E0000-0x000000013F7D8000-memory.dmp

Filesize
992KB

Download
memory/2136-37-0x000007FEF64C0000-0x000007FEF64DD000-memory.dmp

Filesize
116KB

Download
memory/2136-34-0x000007FEF70A0000-0x000007FEF70B1000-memory.dmp

Filesize
68KB

Download
memory/2136-38-0x000007FEF64A0000-0x000007FEF64B1000-memory.dmp

Filesize
68KB

Download
memory/2136-36-0x000007FEF64E0000-0x000007FEF64F1000-memory.dmp

Filesize
68KB

Download
memory/2136-39-0x000007FEF4810000-0x000007FEF58C0000-memory.dmp

Filesize
16.7MB

Download
memory/2136-31-0x000007FEF58C0000-0x000007FEF5B76000-memory.dmp

Filesize
2.7MB

Download
memory/2136-33-0x000007FEF7370000-0x000007FEF7387000-memory.dmp

Filesize
92KB

Download
memory/2136-32-0x000007FEFB0C0000-0x000007FEFB0D8000-memory.dmp

Filesize
96KB

Download
memory/2136-41-0x000007FEF6050000-0x000007FEF6091000-memory.dmp

Filesize
260KB

Download
memory/2136-42-0x000007FEF6470000-0x000007FEF6491000-memory.dmp

Filesize
132KB

Download
memory/2136-43-0x000007FEF6030000-0x000007FEF6048000-memory.dmp

Filesize
96KB

Download
memory/2136-44-0x000007FEF6010000-0x000007FEF6021000-memory.dmp

Filesize
68KB

Download
memory/2136-45-0x000007FEF5FF0000-0x000007FEF6001000-memory.dmp

Filesize
68KB

Download
memory/2136-46-0x000007FEF5FD0000-0x000007FEF5FE1000-memory.dmp

Filesize
68KB

Download
memory/2136-47-0x000007FEF5FB0000-0x000007FEF5FCB000-memory.dmp

Filesize
108KB

Download
memory/2136-48-0x000007FEF5F90000-0x000007FEF5FA1000-memory.dmp

Filesize
68KB

Download
memory/2136-49-0x000007FEF5F70000-0x000007FEF5F88000-memory.dmp

Filesize
96KB

Download
memory/2136-50-0x000007FEF5F40000-0x000007FEF5F70000-memory.dmp

Filesize
192KB

Download
memory/2136-51-0x000007FEF4590000-0x000007FEF45F7000-memory.dmp

Filesize
412KB

Download
memory/2136-52-0x000007FEF4510000-0x000007FEF458C000-memory.dmp

Filesize
496KB

Download
memory/2136-53-0x000007FEF5F20000-0x000007FEF5F31000-memory.dmp

Filesize
68KB

Download
memory/2136-54-0x000007FEF44B0000-0x000007FEF4507000-memory.dmp

Filesize
348KB

Download
memory/2136-30-0x000007FEF6B50000-0x000007FEF6B84000-memory.dmp

Filesize
208KB

Download
memory/2136-57-0x000007FEF2AC0000-0x000007FEF432F000-memory.dmp

Filesize
24.4MB

Download
memory/2136-70-0x000007FEF1D30000-0x000007FEF1FE0000-memory.dmp

Filesize
2.7MB

Download
memory/2136-55-0x000007FEF4330000-0x000007FEF44B0000-memory.dmp

Filesize
1.5MB

Download
memory/2136-59-0x000007FEF2890000-0x000007FEF28A2000-memory.dmp

Filesize
72KB

Download
memory/2136-62-0x000007FEF7090000-0x000007FEF70A0000-memory.dmp

Filesize
64KB

Download
memory/2136-61-0x000007FEF27F0000-0x000007FEF283D000-memory.dmp

Filesize
308KB

Download
memory/2136-60-0x000007FEF2840000-0x000007FEF2882000-memory.dmp

Filesize
264KB

Download
memory/2136-58-0x000007FEF28B0000-0x000007FEF2AB6000-memory.dmp

Filesize
2.0MB

Download
memory/2136-64-0x000007FEF2380000-0x000007FEF2391000-memory.dmp

Filesize
68KB

Download
memory/2136-65-0x000007FEF2360000-0x000007FEF2376000-memory.dmp

Filesize
88KB

Download
memory/2136-63-0x000007FEF23A0000-0x000007FEF23CF000-memory.dmp

Filesize
188KB

Download
memory/2136-67-0x000007FEF2240000-0x000007FEF2282000-memory.dmp

Filesize
264KB

Download
memory/2136-66-0x000007FEF2290000-0x000007FEF2355000-memory.dmp

Filesize
788KB

Download
memory/2136-68-0x000007FEF21D0000-0x000007FEF2232000-memory.dmp

Filesize
392KB

Download
memory/2136-69-0x000007FEF2160000-0x000007FEF21CD000-memory.dmp

Filesize
436KB

Download
memory/2136-71-0x000007FEF1D10000-0x000007FEF1D25000-memory.dmp

Filesize
84KB

Download
memory/2136-72-0x000007FEF1CE0000-0x000007FEF1D03000-memory.dmp

Filesize
140KB

Download
memory/2136-73-0x000007FEF1CA0000-0x000007FEF1CB3000-memory.dmp

Filesize
76KB

Download
memory/2136-74-0x000007FEF1B90000-0x000007FEF1C96000-memory.dmp

Filesize
1.0MB

Download
memory/2136-75-0x000007FEF1B70000-0x000007FEF1B81000-memory.dmp

Filesize
68KB

Download
memory/2136-56-0x000007FEF5F00000-0x000007FEF5F17000-memory.dmp

Filesize
92KB

Download
memory/2136-76-0x000007FEF1710000-0x000007FEF1721000-memory.dmp

Filesize
68KB

Download
memory/2136-77-0x000007FEF16A0000-0x000007FEF1701000-memory.dmp

Filesize
388KB

Download
memory/2136-78-0x000007FEF1650000-0x000007FEF1697000-memory.dmp

Filesize
284KB

Download
memory/2136-80-0x000007FEF1050000-0x000007FEF1084000-memory.dmp

Filesize
208KB

Download
memory/2136-79-0x000007FEF15D0000-0x000007FEF1644000-memory.dmp

Filesize
464KB

Download
memory/2560-12-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2560-9-0x0000000002AB0000-0x0000000002B18000-memory.dmp

Filesize
416KB

Download
memory/2560-8-0x0000000002AB0000-0x0000000002B18000-memory.dmp

Filesize
416KB

Download