d01901239b4a6e572eb79f781c66d199ddcea801ea34d7ba31019f2f195a074d

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
Size

445KB
MD5

e16d2a688be1d485ccade3e6e438046f
SHA1

44c0a2134dc98725466a7630f6b0732d08e714c6
SHA256

d01901239b4a6e572eb79f781c66d199ddcea801ea34d7ba31019f2f195a074d
SHA512

6d014e00dc3287b04a1214cd4ffd42716b57b8ac2fc693152eb05f42e40b385db42bc3ae5b9e2c4d2ef72a8e37acdd65b56f8bb2908d5dcda14fe553745f8c46
SSDEEP

6144:DOeNjg93bZLRYMRL6mNIFRrJJZZHKEAtOi30FW141Hbvc0ffl7sz3BD896tbSYpC:Dr4V36LaEAtkk4hYilsNw90Oe30B

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	kFeBaLb01806.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	kFeBaLb01806.exe

Loads dropped DLL 2 IoCs

pid	Process
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1196-0-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1196-3-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/files/0x000900000001756a-9.dat	upx
behavioral1/memory/2252-17-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1196-21-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1196-22-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2252-24-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2252-40-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1196-56-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1196-57-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kFeBaLb01806 = "C:\\ProgramData\\kFeBaLb01806\\kFeBaLb01806.exe"	kFeBaLb01806.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kFeBaLb01806.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	kFeBaLb01806.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe
1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
2252	kFeBaLb01806.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
Token: SeDebugPrivilege	2252	kFeBaLb01806.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2252	kFeBaLb01806.exe
2252	kFeBaLb01806.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2252	kFeBaLb01806.exe
2252	kFeBaLb01806.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2252	kFeBaLb01806.exe
2252	kFeBaLb01806.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2252	1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2252	1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2252	1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2252	1196	e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\ProgramData\kFeBaLb01806\kFeBaLb01806.exe
  "C:\ProgramData\kFeBaLb01806\kFeBaLb01806.exe" "C:\Users\Admin\AppData\Local\Temp\e16d2a688be1d485ccade3e6e438046f_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\kFeBaLb01806\kFeBaLb01806.exe

Filesize
445KB

MD5
ae0b89c8c597c57f79bff1e4d6504f1d

SHA1
06850b7c4a2250dd5498f2663a3fccc7826bb613

SHA256
f69ccbfb35b642125d0cf175e34ed5feb0d71cf1ab9c5b4b4cbdc0ca144fc268

SHA512
3f1d3f1d8a6200d5f9d6898db0b0f87a1234fb4091166e37f52ffe5e6d5d551139fd2576a9a58181f09acc4faa2cce0a9db52d8e78963a6f1bfc259272963166

Download Submit
memory/1196-56-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1196-2-0x0000000000240000-0x000000000028F000-memory.dmp

Filesize
316KB

Download
memory/1196-1-0x00000000004C0000-0x000000000055D000-memory.dmp

Filesize
628KB

Download
memory/1196-3-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1196-15-0x0000000001E40000-0x0000000001EFB000-memory.dmp

Filesize
748KB

Download
memory/1196-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1196-21-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1196-22-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1196-57-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2252-17-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2252-40-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2252-24-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download