a87f3f428c1fa5d539aef5569a3ca1a29996ff1c27865e1ca44eabf87ff989c8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe
Size

79KB
MD5

dd38e7b9a3764fe564a710f05298646e
SHA1

d063fd94c5baf1ebcf02a02979be3510d145c5f7
SHA256

a87f3f428c1fa5d539aef5569a3ca1a29996ff1c27865e1ca44eabf87ff989c8
SHA512

1404f7c30908c85db2c2fba932f8343dd0f7c16b3a73f458c00d82a73a0569bcc78f423372621f52f90685a7cd5d897c245022e63af16e3afe6b48be707a1dbf
SSDEEP

1536:43Yb9AKP34HazThNuuGOtQaDCB29QkPz2TkqMvd6lM/ZL1lhENNTKtW4rG:iWtAHYhPkWR2bMVBZL/kNTSrG

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
840	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002344e-10.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\1.txt	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\1.txt	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
840	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe
840	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe
840	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe
840	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
840	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3468	840	dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd38e7b9a3764fe564a710f05298646e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IECheck.exe

Filesize
79KB

MD5
dd38e7b9a3764fe564a710f05298646e

SHA1
d063fd94c5baf1ebcf02a02979be3510d145c5f7

SHA256
a87f3f428c1fa5d539aef5569a3ca1a29996ff1c27865e1ca44eabf87ff989c8

SHA512
1404f7c30908c85db2c2fba932f8343dd0f7c16b3a73f458c00d82a73a0569bcc78f423372621f52f90685a7cd5d897c245022e63af16e3afe6b48be707a1dbf

Download Submit
C:\Users\Admin\AppData\Local\msvcr.dll

Filesize
113KB

MD5
f101416cbd273a25397351f39ed9c475

SHA1
c91b089729849947a321d9ab57cb11cbede5583f

SHA256
7957b723414195b733bf3de4e9b23b0e5935e3585c0dbf65270eb9a1faa623bc

SHA512
36ea3313c75fa290da05055cdcc42ffd03cd8a35470d41d4f7bf7521aec5e4e25c1d5a67ae138cb908c50001b3ef20e59287c204817c4cb9e3ab877333ac03d4

Download Submit
C:\Users\Admin\AppData\Local\ws2help.PNF

Filesize
79KB

MD5
60bf1ba61ae4cc6de846fac3f2a3884f

SHA1
24d191936b15b6fb107484e7f3a9a5f1d23f90a9

SHA256
8f6c9ab493849b1f991c67be8562ad3f7e3231d14bd63f58228664190577fb9f

SHA512
d14f0c3a46ed4ac6f909b699191283806190bd24db7142e14383dd6e3535be2e0eed8e2fbc8201c9904aff831e8bfdcbc6a4ad9fee2ce4441aa72e191ad53c45

Download Submit
C:\Windows\INF\1.txt

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
memory/840-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/840-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download