2d3960b135fd2036f5f21705148f94e5defac00241c90e5569787bf59bec80f1

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
Size

529KB
MD5

ef121dbf59f5486348c3398f4f84cbd1
SHA1

a9caeb05b4c0d8df6ded2972db08407c27b7b9cb
SHA256

2d3960b135fd2036f5f21705148f94e5defac00241c90e5569787bf59bec80f1
SHA512

85ba3745c1f928827b9f7333c541843e25b43431856270eb7403a3a893c24f331512a123b132121a75cdee3279aaaf8299fea341f8e0b5f2786e8c356b9463e9
SSDEEP

12288:9fCCGiEGLUSA0fyPe97Dr7vuU14KuzJxv0:9fIGLUSA0mG/B14Ku/v

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1972	bL01803GoPhL01803.exe

Executes dropped EXE 1 IoCs

pid	Process
1972	bL01803GoPhL01803.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3384-2-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral2/memory/3384-15-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral2/memory/3384-16-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/1972-19-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral2/memory/1972-27-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral2/memory/1972-35-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral2/memory/1972-48-0x0000000000400000-0x00000000004D9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bL01803GoPhL01803 = "C:\\ProgramData\\bL01803GoPhL01803\\bL01803GoPhL01803.exe"	bL01803GoPhL01803.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bL01803GoPhL01803.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3384	ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
3384	ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3384	ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
Token: SeDebugPrivilege	1972	bL01803GoPhL01803.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1972	bL01803GoPhL01803.exe
1972	bL01803GoPhL01803.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 1972	3384	ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe	85
PID 3384 wrote to memory of 1972	3384	ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe	85
PID 3384 wrote to memory of 1972	3384	ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384
- C:\ProgramData\bL01803GoPhL01803\bL01803GoPhL01803.exe
  "C:\ProgramData\bL01803GoPhL01803\bL01803GoPhL01803.exe" "C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bL01803GoPhL01803\bL01803GoPhL01803.exe

Filesize
529KB

MD5
830bc9bd1bb565544f97a8e0aa1a01d0

SHA1
e7531a6f7d78058c88075b16ab5ff54d4cdb6f4d

SHA256
320de373adf6e47ae37aa3f4854cdd2e50e3875a767ce0e8bd318a71976660b3

SHA512
2507d1ca4531baeac351a4754876ebb77a0e18626a567f4e8ee43374c99e90e6174cd54ecce85eef77bd062d694f0fc477ee185db986f66892e935cf524a407b

Download Submit
memory/1972-18-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1972-19-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1972-27-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1972-35-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1972-48-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3384-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3384-2-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3384-15-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3384-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download