4f81092552663aaf57c5c961ca378193dca0ff0e8d6981899a201e26e22e18fd

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
Size

2.8MB
MD5

f5914258c41db889e402903ac67ed4f6
SHA1

83e793ac1f9035755fa51bc49a0714343a317156
SHA256

4f81092552663aaf57c5c961ca378193dca0ff0e8d6981899a201e26e22e18fd
SHA512

6a9b995e337c2d9007c01973e6c90befd25e9df97f4e9374c93d3226536c70b5b4a0819aaf6affa79879bca8aa3b1d2a85d201730b9f51b89959279962677137
SSDEEP

49152:EDmsKRJj/P7GP/LqXUTeCLdkt0wbZLHmWUlrvJYW/zPU2+kIqNB:E6sKRF/zGP+XHCLdcb1HNUlL6oPUVS

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Protection 2011v121.exe

Executes dropped EXE 2 IoCs

pid	Process
4880	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gH6sWK7fE9T8234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe"	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XrzONyxA0v2b3m58234A = "C:\\Users\\Admin\\AppData\\Roaming\\elIBtzP0yAiDoFa\\AV Protection 2011v121.exe"	AV Protection 2011v121.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Protection 2011v121.exe	AV Protection 2011v121.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1528-10-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/1528-11-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/1528-16-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/1528-20-0x0000000000400000-0x00000000008E4000-memory.dmp	upx
behavioral2/memory/4880-27-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/4880-28-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/4880-37-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/3672-71-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/3672-93-0x0000000000400000-0x00000000008EC800-memory.dmp	upx
behavioral2/memory/3672-106-0x0000000000400000-0x00000000008EC800-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Protection 2011v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3600	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1528	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
4880	AV Protection 2011v121.exe
4880	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe
3672	AV Protection 2011v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4880	1528	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	83
PID 1528 wrote to memory of 4880	1528	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	83
PID 1528 wrote to memory of 4880	1528	f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe	83
PID 4880 wrote to memory of 3672	4880	AV Protection 2011v121.exe	86
PID 4880 wrote to memory of 3672	4880	AV Protection 2011v121.exe	86
PID 4880 wrote to memory of 3672	4880	AV Protection 2011v121.exe	86

C:\Users\Admin\AppData\Local\Temp\f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\AV Protection 2011v121.exe
  C:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\f5914258c41db889e402903ac67ed4f6_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Roaming\elIBtzP0yAiDoFa\AV Protection 2011v121.exe
    C:\Users\Admin\AppData\Roaming\elIBtzP0yAiDoFa\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nfb9114.tmp

Filesize
228B

MD5
27b4354e7db4fc75f357cd7d7cdf3c6d

SHA1
6a8f0172da7d8b7937ab0485336fce17b9ba99fc

SHA256
cab01e7d2f99648f5cad4850308f64e8768613551c4b8650ab096b6459bc68da

SHA512
da86ab1091422383c66b3b86c2f721d8964d0417a503c573dfaa5d008ad3a4ad022afe52020a781c8894be9f849ef089a4c4bee614c35e9e5ab88cbdf5de75cf

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
909B

MD5
c7bb94b64b877c98da0aa727d67a9aad

SHA1
b4104db3130c28ad123f955b65c96bcfe03fb83c

SHA256
84f0bd69ef363b89bfed8266f8f5173ea1480344d443b2a0ad429f21498fd51d

SHA512
c08bb5158e93003460ed7f73cdcc7d57063260876a91944438d6e28fa5f5b779294cc437204b5aa7303fd6af23e986bf40c51b5eb867b6ef3ae7b7ddb827f467

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
674b68c799b56f4eff7d8981edfefcdb

SHA1
0e0fb6f94e06083e2bd6f2ceb88bdd4d868ec064

SHA256
aaa79c3abc4ca1864fd64036602617880ed53b85ff2002621111e19e23016658

SHA512
8ca20e976a514871c22df2e5dbb282ab0c38783a49b279ae5c36da174772f3e470b10e961046e31737a8b4e0f6e7691227ecdb05557e37d9528ea183391b77c7

Download Submit
C:\Windows\SysWOW64\AV Protection 2011v121.exe

Filesize
2.8MB

MD5
f5914258c41db889e402903ac67ed4f6

SHA1
83e793ac1f9035755fa51bc49a0714343a317156

SHA256
4f81092552663aaf57c5c961ca378193dca0ff0e8d6981899a201e26e22e18fd

SHA512
6a9b995e337c2d9007c01973e6c90befd25e9df97f4e9374c93d3226536c70b5b4a0819aaf6affa79879bca8aa3b1d2a85d201730b9f51b89959279962677137

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7eab0ddcbf3cec31ec7731b53fdb09d0

SHA1
bd75e8a2e47b1153d901874b4ecaff0c1222d149

SHA256
a0c9a8935e73279c9a1891afdfa494667cad34cf55063ad912c00ef3706cb280

SHA512
aff2f2bfd15f2840e0939b8fd73fea30797394d9fe5d14d02c86df6fe2ee5d28dccdfc3838777b8678c7c8278d3ee286dca219d4344b8782bca52a6dd1e9f4ca

Download Submit
memory/1528-20-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1528-7-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1528-11-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/1528-6-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1528-16-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/1528-10-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/1528-8-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/3672-106-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/3672-93-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/3672-71-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/4880-24-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/4880-37-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/4880-28-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download
memory/4880-27-0x0000000000400000-0x00000000008EC800-memory.dmp

Filesize
4.9MB

Download