504283d6b0d927c895624c91355166b675f685487f6d90985364c49d79d7af24

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
Size

2.8MB
MD5

df18a0564994b769d501cd7bf5911291
SHA1

c26015ba47f54524aca183b500ffafdb4773e709
SHA256

504283d6b0d927c895624c91355166b675f685487f6d90985364c49d79d7af24
SHA512

705b77279ff8c29430de1b3e174496ca9019e53f57b3afda1439cc2c930af8894d71a1b3ac6179bb708365a6e869c89d13b7581b583b8cb61bb5179453e28721
SSDEEP

49152:W52c0o7BhDIjyyMP0/KM9MBQuM8T98oh3MYAZCwxo/v+KFJZf9V43ciL8E:dvo9hDI2yMP02BQuM8+oFMY6CekHGcij

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Security 2012v121.exe

Executes dropped EXE 2 IoCs

pid	Process
4964	AV Security 2012v121.exe
4124	AV Security 2012v121.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/548-7-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral2/memory/548-12-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral2/memory/548-16-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/4964-23-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral2/memory/4124-57-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral2/memory/4124-71-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral2/memory/4124-82-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx
behavioral2/memory/4124-93-0x0000000000400000-0x00000000008F6C00-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\X1ivD3onGaHsKfL8234A = "C:\\Windows\\system32\\AV Security 2012v121.exe"	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QONyxA0uv2b3m5Q8234A = "C:\\Users\\Admin\\AppData\\Roaming\\y1ivD3onFaH\\AV Security 2012v121.exe"	AV Security 2012v121.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	AV Security 2012v121.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4964	AV Security 2012v121.exe
4964	AV Security 2012v121.exe
4964	AV Security 2012v121.exe
4964	AV Security 2012v121.exe
4964	AV Security 2012v121.exe
4964	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	800	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
548	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
4964	AV Security 2012v121.exe
4964	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe
4124	AV Security 2012v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 4964	548	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	88
PID 548 wrote to memory of 4964	548	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	88
PID 548 wrote to memory of 4964	548	df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe	88
PID 4964 wrote to memory of 4124	4964	AV Security 2012v121.exe	92
PID 4964 wrote to memory of 4124	4964	AV Security 2012v121.exe	92
PID 4964 wrote to memory of 4124	4964	AV Security 2012v121.exe	92

C:\Users\Admin\AppData\Local\Temp\df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\AV Security 2012v121.exe
  C:\Windows\system32\AV Security 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\df18a0564994b769d501cd7bf5911291_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Roaming\y1ivD3onFaH\AV Security 2012v121.exe
    C:\Users\Admin\AppData\Roaming\y1ivD3onFaH\AV Security 2012v121.exe 5985C:\Windows\SysWOW64\AV Security 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\m9F4D.tmp

Filesize
235B

MD5
9ecd54596b0e3e8b44cc923aa042d2c4

SHA1
87f180bcff9fcbf4abd193f1a1b5b8f0c9c945d7

SHA256
ca7f5a27c0f966bd5e0cdc85858f211202ffae7e1224f2f83135c1c6c0811114

SHA512
2b74e3ec3b301345afe53f28f626fd711c69b9230763481589b5b259d399a54a2d53ceefcdc3fd0c3fa813bacaed8707013a95c4f885f942c0692312fa5cc06a

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
edee25d45d8b5725a70c3e97f4aa5e48

SHA1
9da4290bbaa8c70c1e3205468000551b53796e7b

SHA256
9e4b763b6a5d8c9ae724bacb11a8570ee5b84ed0e70261890b5c55a9e26bafff

SHA512
0191c2fa070c001b098ef3bf7abfa2d1519330c33f68b9b244cf7cb8e23eaab9070f145cbe270cbec5e469f945a66c490a62303ad26184669ac32f7764a17f86

Download Submit
C:\Windows\SysWOW64\AV Security 2012v121.exe

Filesize
2.8MB

MD5
df18a0564994b769d501cd7bf5911291

SHA1
c26015ba47f54524aca183b500ffafdb4773e709

SHA256
504283d6b0d927c895624c91355166b675f685487f6d90985364c49d79d7af24

SHA512
705b77279ff8c29430de1b3e174496ca9019e53f57b3afda1439cc2c930af8894d71a1b3ac6179bb708365a6e869c89d13b7581b583b8cb61bb5179453e28721

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7eab0ddcbf3cec31ec7731b53fdb09d0

SHA1
bd75e8a2e47b1153d901874b4ecaff0c1222d149

SHA256
a0c9a8935e73279c9a1891afdfa494667cad34cf55063ad912c00ef3706cb280

SHA512
aff2f2bfd15f2840e0939b8fd73fea30797394d9fe5d14d02c86df6fe2ee5d28dccdfc3838777b8678c7c8278d3ee286dca219d4344b8782bca52a6dd1e9f4ca

Download Submit
memory/548-4-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/548-12-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/548-16-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/548-5-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/548-3-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/548-7-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/4124-28-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/4124-57-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/4124-71-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/4124-82-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/4124-93-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download
memory/4964-23-0x0000000000400000-0x00000000008F6C00-memory.dmp

Filesize
5.0MB

Download