e1a5c118c2be1e9857415dca4f7a42293e4b5e42093e4a221b0719970ca65dcd

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe
Size

606KB
MD5

eaaba645191a435e78d6d8ff0d4117a2
SHA1

ae7908786370f62f00ed87853d7e00565b1dd35e
SHA256

e1a5c118c2be1e9857415dca4f7a42293e4b5e42093e4a221b0719970ca65dcd
SHA512

c6e82d88e47e3172c00e3381f5bdfa3a29ac8d96225e9e800d7847d5ffc24e9edc05a160a3bd381e466a8c508a95dfb8530e3b134039f6fd583c4ba24bc700ad
SSDEEP

12288:/d+bmm1yncU167LcS3CkFQ5EqJUUpfdjSS:/d+KmrUs7LcSfOHtpfJS

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
1484	svchest.exe
3492	svchest.exe
2076	svchest.exe
4740	svchest.exe
2572	svchest.exe
728	svchest.exe
2868	svchest.exe
1564	svchest.exe
3004	svchest.exe
4880	svchest.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1224-0-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/files/0x000d000000023bb4-5.dat	upx
behavioral2/memory/1224-7-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/1484-8-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/3492-10-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/2076-12-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/4740-14-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/2572-16-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/728-18-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/2868-20-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/1564-22-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/3004-24-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral2/memory/4880-26-0x0000000000400000-0x0000000000499000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File created	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe
File opened for modification	C:\Windows\SysWOW64\svchest.exe	svchest.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchest.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1484	1224	eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe	85
PID 1224 wrote to memory of 1484	1224	eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe	85
PID 1224 wrote to memory of 1484	1224	eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe	85
PID 1484 wrote to memory of 3492	1484	svchest.exe	95
PID 1484 wrote to memory of 3492	1484	svchest.exe	95
PID 1484 wrote to memory of 3492	1484	svchest.exe	95
PID 3492 wrote to memory of 2076	3492	svchest.exe	97
PID 3492 wrote to memory of 2076	3492	svchest.exe	97
PID 3492 wrote to memory of 2076	3492	svchest.exe	97
PID 2076 wrote to memory of 4740	2076	svchest.exe	100
PID 2076 wrote to memory of 4740	2076	svchest.exe	100
PID 2076 wrote to memory of 4740	2076	svchest.exe	100
PID 4740 wrote to memory of 2572	4740	svchest.exe	101
PID 4740 wrote to memory of 2572	4740	svchest.exe	101
PID 4740 wrote to memory of 2572	4740	svchest.exe	101
PID 2572 wrote to memory of 728	2572	svchest.exe	103
PID 2572 wrote to memory of 728	2572	svchest.exe	103
PID 2572 wrote to memory of 728	2572	svchest.exe	103
PID 728 wrote to memory of 2868	728	svchest.exe	104
PID 728 wrote to memory of 2868	728	svchest.exe	104
PID 728 wrote to memory of 2868	728	svchest.exe	104
PID 2868 wrote to memory of 1564	2868	svchest.exe	113
PID 2868 wrote to memory of 1564	2868	svchest.exe	113
PID 2868 wrote to memory of 1564	2868	svchest.exe	113
PID 1564 wrote to memory of 3004	1564	svchest.exe	114
PID 1564 wrote to memory of 3004	1564	svchest.exe	114
PID 1564 wrote to memory of 3004	1564	svchest.exe	114
PID 3004 wrote to memory of 4880	3004	svchest.exe	115
PID 3004 wrote to memory of 4880	3004	svchest.exe	115
PID 3004 wrote to memory of 4880	3004	svchest.exe	115

C:\Users\Admin\AppData\Local\Temp\eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\svchest.exe
  C:\Windows\system32\svchest.exe 1004 "C:\Users\Admin\AppData\Local\Temp\eaaba645191a435e78d6d8ff0d4117a2_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\svchest.exe
    C:\Windows\system32\svchest.exe 1132 "C:\Windows\SysWOW64\svchest.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\SysWOW64\svchest.exe
      C:\Windows\system32\svchest.exe 1096 "C:\Windows\SysWOW64\svchest.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\svchest.exe
        
        C:\Windows\system32\svchest.exe 980 "C:\Windows\SysWOW64\svchest.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\svchest.exe
        
        C:\Windows\system32\svchest.exe 1104 "C:\Windows\SysWOW64\svchest.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\svchest.exe
        
        C:\Windows\system32\svchest.exe 1092 "C:\Windows\SysWOW64\svchest.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\svchest.exe
        
        C:\Windows\system32\svchest.exe 1100 "C:\Windows\SysWOW64\svchest.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\svchest.exe
        
        C:\Windows\system32\svchest.exe 1116 "C:\Windows\SysWOW64\svchest.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\svchest.exe
        
        C:\Windows\system32\svchest.exe 1120 "C:\Windows\SysWOW64\svchest.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\svchest.exe
        
        C:\Windows\system32\svchest.exe 1124 "C:\Windows\SysWOW64\svchest.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchest.exe

Filesize
606KB

MD5
eaaba645191a435e78d6d8ff0d4117a2

SHA1
ae7908786370f62f00ed87853d7e00565b1dd35e

SHA256
e1a5c118c2be1e9857415dca4f7a42293e4b5e42093e4a221b0719970ca65dcd

SHA512
c6e82d88e47e3172c00e3381f5bdfa3a29ac8d96225e9e800d7847d5ffc24e9edc05a160a3bd381e466a8c508a95dfb8530e3b134039f6fd583c4ba24bc700ad

Download Submit
memory/728-18-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1224-7-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1224-0-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1484-8-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1564-22-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2076-12-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2572-16-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2868-20-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3004-24-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3492-10-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4740-14-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4880-26-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download