80ade822a526d5c55756a34405afa7c7d73bcc3840a734d16b8b87143f68568d

Analysis

max time kernel
150s
max time network
31s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe
Size

444KB
MD5

eaa6e62eb9d2658f4a42c1f3aa9cac39
SHA1

2a1b9d9ef3883e086eb71b06f92fc0b333cbd843
SHA256

80ade822a526d5c55756a34405afa7c7d73bcc3840a734d16b8b87143f68568d
SHA512

37a92c9ba293535f872f7a8966ff8fac960e225a536c3ce30ec2926da57420264d86200ee333c54532658fc984282041ec17a0fe2685e385899c637cda0cea78
SSDEEP

12288:WG4/ICycu4oFU7VKRsr9jIirCPAweoHjyR5Rqq5w+HSCc:PcuP5UCFPAKmPRKQ

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3040	kB09100JaOaK09100.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	kB09100JaOaK09100.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe
2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-2-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2236-19-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/memory/2236-18-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/3040-31-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/3040-41-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kB09100JaOaK09100 = "C:\\ProgramData\\kB09100JaOaK09100\\kB09100JaOaK09100.exe"	kB09100JaOaK09100.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kB09100JaOaK09100.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	kB09100JaOaK09100.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe
Token: SeDebugPrivilege	3040	kB09100JaOaK09100.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3040	kB09100JaOaK09100.exe
3040	kB09100JaOaK09100.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3040	2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe	29
PID 2236 wrote to memory of 3040	2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe	29
PID 2236 wrote to memory of 3040	2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe	29
PID 2236 wrote to memory of 3040	2236	eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\ProgramData\kB09100JaOaK09100\kB09100JaOaK09100.exe
  "C:\ProgramData\kB09100JaOaK09100\kB09100JaOaK09100.exe" "C:\Users\Admin\AppData\Local\Temp\eaa6e62eb9d2658f4a42c1f3aa9cac39_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kB09100JaOaK09100\kB09100JaOaK09100

Filesize
192B

MD5
93690734bf7c9207b4848a75dadb6d13

SHA1
2188d633f76ee162f52fc3f3b6266c2b22cd5c21

SHA256
d02b152178d3c802eafc071cbeb2cbd6a4b131696e1b8d8c8d72768d4301e4b4

SHA512
198941e2c89d837ccd679e41bb4077ef8403c4d100c780ca5b99464238f1a6a60c1407724eb828667daa0ec7a0ac951cb8cee4cc1454700f1ee444d7d23b1b17

Download Submit
\ProgramData\kB09100JaOaK09100\kB09100JaOaK09100.exe

Filesize
444KB

MD5
cf34622509f3825a0ee5d9974f2735d2

SHA1
78ff5444919b24ce1884898fef5a610a5686d603

SHA256
02d91ccaee23622b0adfebf083a172dfabe13a5541e08e41b4c2860c1dd80094

SHA512
abbb3587990b157cf279c8ab9bb7ba2726754320a4468cc44625ebf81301215241ac907100b7bc0f9f3521665a303ca3a363b9f509dff9c0876b00cb93583917

Download Submit
memory/2236-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2236-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2236-19-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2236-18-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3040-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3040-31-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3040-41-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download