491447129af236e0ddb718e0b40e40ef2b2904efad2895a85aed3f2ab8b0e440

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
Size

1.9MB
MD5

f119cfe2437e5e2cd663095695d445d6
SHA1

0f75d60069e5a47bca8ebfe6822bdecc79803a6e
SHA256

491447129af236e0ddb718e0b40e40ef2b2904efad2895a85aed3f2ab8b0e440
SHA512

3795822f2fe87fc483899b9c0c9ca390d09d6cbd1bfae2f07eceb8e7c1c7195e922909eebd20ea7fa08618b5f3a1f5db97b51ea8460acc87852af36c50198b89
SSDEEP

49152:w/DsUN6okJ1FhHUmbA2PSrJpyRLlim3UoiMQ:IkLFuIA2x/T3UoDQ

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Cloud AV 2012v121.exe

Executes dropped EXE 2 IoCs

pid	Process
3508	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1240-2-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/1240-9-0x0000000000400000-0x0000000000917000-memory.dmp	upx
behavioral2/memory/1240-8-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/3508-11-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/3508-17-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/1144-20-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/1144-73-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/1144-93-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/1144-115-0x0000000000400000-0x000000000091A000-memory.dmp	upx
behavioral2/memory/1144-126-0x0000000000400000-0x000000000091A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YS1ivD3on4m6W7E8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe"	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ducS2ibF3n5Q6W88234A = "C:\\Users\\Admin\\AppData\\Roaming\\zcA1uvD2oFpHsJd\\Cloud AV 2012v121.exe"	Cloud AV 2012v121.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Cloud AV 2012v121.exe	Cloud AV 2012v121.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cloud AV 2012v121.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1700	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1240	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
3508	Cloud AV 2012v121.exe
3508	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe
1144	Cloud AV 2012v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 3508	1240	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	82
PID 1240 wrote to memory of 3508	1240	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	82
PID 1240 wrote to memory of 3508	1240	f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe	82
PID 3508 wrote to memory of 1144	3508	Cloud AV 2012v121.exe	83
PID 3508 wrote to memory of 1144	3508	Cloud AV 2012v121.exe	83
PID 3508 wrote to memory of 1144	3508	Cloud AV 2012v121.exe	83

C:\Users\Admin\AppData\Local\Temp\f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\Cloud AV 2012v121.exe
  C:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\f119cfe2437e5e2cd663095695d445d6_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Users\Admin\AppData\Roaming\zcA1uvD2oFpHsJd\Cloud AV 2012v121.exe
    C:\Users\Admin\AppData\Roaming\zcA1uvD2oFpHsJd\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1144

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
612B

MD5
52260f153c4cd30bd3b68e99cec2713e

SHA1
5bbecb24440aedb1938cdf9b8fc767b9ef22cd9c

SHA256
6647bb2388918a72cf2ad5e8963cdda4cdee5fbe35c1907efbeab6084e72e114

SHA512
e3b44df7d0487462673764ac86dd1d23e7daa6a733700e4d83394e8a7c2944675b0d88df493282b61ef09a89d2465929bcec6dbbede0e00bdb2129f8314059d0

Download Submit
C:\Users\Admin\AppData\Roaming\ahst.lni

Filesize
1KB

MD5
261e25e07f5b4f1aee02242629d0cb33

SHA1
bc645553cdc3fb32fb851843d4ef31bdcbd9acee

SHA256
8baa3ac72b82cfe317c0f8ce61a3415e89e72911210286af17a2371166465fd4

SHA512
ffd90ec3cc7b037dcd9ac0cfc9a3ad6225db6ceb3011274d4c7939b3bbcf7374089c99ee797dfb7abefe7943fc0a6647ec07b03f4e94521c36749da08b059333

Download Submit
C:\Windows\SysWOW64\Cloud AV 2012v121.exe

Filesize
1.9MB

MD5
f119cfe2437e5e2cd663095695d445d6

SHA1
0f75d60069e5a47bca8ebfe6822bdecc79803a6e

SHA256
491447129af236e0ddb718e0b40e40ef2b2904efad2895a85aed3f2ab8b0e440

SHA512
3795822f2fe87fc483899b9c0c9ca390d09d6cbd1bfae2f07eceb8e7c1c7195e922909eebd20ea7fa08618b5f3a1f5db97b51ea8460acc87852af36c50198b89

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
f6f947c419997f3a6b18c114883a14c4

SHA1
75674e5c52c2eb26b8ed2b2b6d8d462a5122fbd3

SHA256
d3e514a0f54ed20e43f10506a6100eb2d9e8ea567c9584ab806f87f3eefb0ef6

SHA512
171c308ed159a6cd2c75212694139e7a250976c85946d5f9d6e26eece40b13a7617fb203a7f086cb89ac49f919bbbcbda4f3372e1c3ecbb23897874dfb9734f6

Download Submit
memory/1144-93-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1144-19-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1144-20-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1144-73-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1144-115-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1144-126-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1240-8-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/1240-9-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1240-1-0x0000000000400000-0x0000000000917000-memory.dmp

Filesize
5.1MB

Download
memory/1240-2-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/3508-11-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download
memory/3508-17-0x0000000000400000-0x000000000091A000-memory.dmp

Filesize
5.1MB

Download