cba944cc84411c39ab131dbd0d0ba22d3056218ef853f539f053b634a896168f

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
Size

76KB
MD5

f02305330f50171aea1d900fdd34144a
SHA1

67ae2532c017f9f29af6222a9d4fb03eb1a9469f
SHA256

cba944cc84411c39ab131dbd0d0ba22d3056218ef853f539f053b634a896168f
SHA512

2cfebed5d1fdb5ac341b0f0c3a329f3ecade064a844be91a6520ebfa12d7f3bf8be7b1bc7532a5edce9bd776c8f2c9debe59cd854bb5b2077bf829f977bffba0
SSDEEP

768:PgRh4wyVqzzpZbvoJF9uR6/DmKKl4aNxvIaiYHaeXJR3GZKyy83Nu4iEMlzr:PgRh4wyVOby+RqKBI5bgGQyy89u4i/

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	icthis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\some = "C:\\Program Files (x86)\\Online Add-on\\icthis.exe"	icthis.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1804	icthis.exe
2788	icmntr.exe

Loads dropped DLL 4 IoCs

pid	Process
1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
1804	icthis.exe
1804	icthis.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001752f-11.dat	upx
behavioral1/memory/2788-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Online Add-on\icthis.exe	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Online Add-on\icun.exe	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Online Add-on\icmntr.exe	icthis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icthis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
1804	icthis.exe
2788	icmntr.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe
1804	icthis.exe
2788	icmntr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1804	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	30
PID 1860 wrote to memory of 1804	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	30
PID 1860 wrote to memory of 1804	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	30
PID 1860 wrote to memory of 1804	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2788	1804	icthis.exe	31
PID 1804 wrote to memory of 2788	1804	icthis.exe	31
PID 1804 wrote to memory of 2788	1804	icthis.exe	31
PID 1804 wrote to memory of 2788	1804	icthis.exe	31
PID 1860 wrote to memory of 2860	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	32
PID 1860 wrote to memory of 2860	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	32
PID 1860 wrote to memory of 2860	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	32
PID 1860 wrote to memory of 2860	1860	f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f02305330f50171aea1d900fdd34144a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files (x86)\Online Add-on\icthis.exe
  "C:\Program Files (x86)\Online Add-on\icthis.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Program Files (x86)\Online Add-on\icmntr.exe
    "C:\Program Files (x86)\Online Add-on\icmntr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_off0.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_off0.bat

Filesize
302B

MD5
a6edeb26f4fda6f21dbe0cf682fd2289

SHA1
5aee3dd87eaebd696ac6aeb3f8f207abc4638db0

SHA256
cde6a1475402cd6fe9460069591e614ac9514b2cdfdc761d8459c1ead03870bd

SHA512
9cf587ac5741bf1d61ee1e91a26504f82c7b807a92f610036fd463ea104eb1e2affddbbcd893987b6ae4b6a93589a664e8e9caa4592ec4eadb589ffee1c555e7

Download Submit
\Program Files (x86)\Online Add-on\icmntr.exe

Filesize
7KB

MD5
e5f850e25e250fbc87103f3eee25b1b4

SHA1
4ff3917b536f7c26a9ee51cd250fc30be21717e6

SHA256
1be0d6ca5da55f6e7f267c1acf23cfc1a527860c531fc673463fcbbcace93761

SHA512
2316954836f147327f10d8fdcb09192f26124f90482f443f0c05dcb3bddd4da6504496cb606d1ff30f376e4ee0f88260fc083014022076d8503f008ed2fa831f

Download Submit
\Program Files (x86)\Online Add-on\icthis.exe

Filesize
30KB

MD5
fb82652619fcc34ab4ff8e765f92eaee

SHA1
2534930fba03e3dbd7548499d6177e41f57632eb

SHA256
75e31e45e208bc67966789225744e1daeddd8772b731c1d1a6ee16a17e215bdf

SHA512
6cd3d8a36afee077b8bce695dde89e56cd02a24c9ac7c6e499ea58d8c0ca98b060d33785540f1913036f10a8f7049687b138f6367c793355287493b1b8ca4054

Download Submit
memory/1804-13-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/1804-28-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/1804-29-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2788-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download