d89ea9bffb7a6f28567405eca3ede9226b1c886c3817cae71dcb5f3c78f912e6

Analysis

max time kernel
135s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
Size

129KB
MD5

dabfc15614501bb318a3586036da132c
SHA1

b07a82a8b4173eb16bc90915bf3c25ea6bbb4a8e
SHA256

d89ea9bffb7a6f28567405eca3ede9226b1c886c3817cae71dcb5f3c78f912e6
SHA512

a6752a80e268066c9533b971958dd39e81fb7fc081bb3ec2bc7f7b39ad1a00801b257d9009d37c9f24fd7d790c75c6517eef1dd075b779e83d538cb763e5e94b
SSDEEP

3072:7IJxKNdqSwvrJ5LhgNA3PK+/uDcrfWt0L:cJ4Ndqt7ZPKiq6L

Score

8^/10

discovery vmprotect

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ahnurl.sys	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ahnurl.sys	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3200-0-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral2/memory/3200-8-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\setupball.bmp	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\version.dat	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\winurl.dat	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
File opened for modification	C:\Windows\wintmp.dat	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 5032	3200	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe	83
PID 3200 wrote to memory of 5032	3200	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe	83
PID 3200 wrote to memory of 5032	3200	dabfc15614501bb318a3586036da132c_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\dabfc15614501bb318a3586036da132c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dabfc15614501bb318a3586036da132c_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dele57bd93.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dele57bd93.bat

Filesize
271B

MD5
92f90f29da76e00ae5f82e2d2a864dc4

SHA1
390ca107990b1a866e9fc0a065a44b4bc66027e6

SHA256
3cb6fd4ea432fba68d9b7745f875853cc7aeeaf0cf961f4fa6031e31b67dae31

SHA512
ee11263a0423e672486ccc0d70c1020eaaf1fc95dab10524c25f0641dc412545fe95a42b87368c4bb00c2f0ef6cf07f4a2e4892ed5573d3f5060e50a8d5de0b4

Download Submit
memory/3200-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3200-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download