fc128c31aca833a113bfeedcde8cedda2ae7d1acfded022d7450735fa6331547

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaac55f915e3b4857717c99658eea501_JaffaCakes118.exe
Size

1.6MB
MD5

eaac55f915e3b4857717c99658eea501
SHA1

2630a0cfc0e9045a98ea330161d24275d66c32d5
SHA256

fc128c31aca833a113bfeedcde8cedda2ae7d1acfded022d7450735fa6331547
SHA512

d1e3717af40b39f3b4082679b1a1a7ccf8f8abd746473159baa67e45127532c943e610b83063647775347e7455c394ea4809b48cb575ccc3e87af896432ec636
SSDEEP

24576:oltywfYYOShXzXkm35OX0lmaWEU/tW9WLaFiNUMs3EjXEzrBM/AM/IFy3H:oL7fYyoHX1a79dbJ3ELEi

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4964	setup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2204-0-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/files/0x00070000000234df-7.dat	upx
behavioral2/memory/4964-8-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2204-12-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/4964-14-0x0000000000400000-0x000000000042A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaac55f915e3b4857717c99658eea501_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4964	2204	eaac55f915e3b4857717c99658eea501_JaffaCakes118.exe	82
PID 2204 wrote to memory of 4964	2204	eaac55f915e3b4857717c99658eea501_JaffaCakes118.exe	82
PID 2204 wrote to memory of 4964	2204	eaac55f915e3b4857717c99658eea501_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\eaac55f915e3b4857717c99658eea501_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaac55f915e3b4857717c99658eea501_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\TMPB391.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\TMPB391.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TMPB391.tmp\README.RTF

Filesize
3KB

MD5
9e629cdf2ec7e6b2622c7858bb601a85

SHA1
ff72932222d3476cc7caa1611c960a5e1b8d056f

SHA256
e968b15041ab5c739b72c2120168e2e868a4cad970e048ae2818adb291574366

SHA512
021b87fa09659a30ec16891c94b8c55a76f34f6a63a7177295c28e6917986f0e38471ce2f81b9808568215516bb2a50ab30a609e9cf9584483737b7e53472cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPB391.tmp\SETUP.INI

Filesize
315B

MD5
16379c1a26040ca541ee3a76bb24c2b4

SHA1
36f70f927d3cd038bf6e7f6be64074ae56263c03

SHA256
aebb93fe6c363a90aeb20be4f1ca32ba743f703df65d854cc4ff5b70112db594

SHA512
4ce3804b284a63cd462d85789087595ea17c07d00f399827c9ffdc026d1d3762e622370a5da572098f5a01826988f64ab015193d022bc85f0f1ab9505b07ff56

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMPB391.tmp\setup.exe

Filesize
46KB

MD5
d7ff5f2bcb5fc630f39c80edbbaa4fea

SHA1
da08677e0e796b87d0d4ed975a8853e0b3c538c1

SHA256
555662669d5867ec788056d2709490cf40507438c3d937ce7849fdd8f373290d

SHA512
aa5943e84150939ced4f2c0aad6d588748cac9f083565e7fa3cf31143dcc9b6a2d0ebacd3802490d61bf64ecfcfda7b47f2fa94bcff709d9779e7b43ff1723d3

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2204-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4964-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4964-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download