5c6c6019283a22b8e2202d88a8d9ca6c4f87f3154945bb07a5db5b23071c9e53

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
Size

1.8MB
MD5

f7ede4315ac864a6ee98609b1d5313d2
SHA1

637b597c6e1448c97980e081994aafdc4c3159ba
SHA256

5c6c6019283a22b8e2202d88a8d9ca6c4f87f3154945bb07a5db5b23071c9e53
SHA512

2552c0d8302fae497e3903f7946996dd971ace822392df60279c23a6cc05607c2743d23b7fc3c5af68ec97b81cb043e35d06d28683ed4b4b16e432268b84ef3f
SSDEEP

24576:h5iYzJqnXGaUVsdan5OcHnOSE65Jp6EbNlHAqSakgEl7YifVbs+Ll4Se7hCm2:/ilusd+OaGALtNlgqSMI77u+B4SUYm2

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AV Security 2012v121.exe

Executes dropped EXE 2 IoCs

pid	Process
2216	AV Security 2012v121.exe
5100	AV Security 2012v121.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BXqjYCekIrOyAuS8234A = "C:\\Windows\\system32\\AV Security 2012v121.exe"	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szONyxA0uSoFpGs8234A = "C:\\Users\\Admin\\AppData\\Roaming\\kIBtzP0yc1v3n4m\\AV Security 2012v121.exe"	AV Security 2012v121.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AV Security 2012v121.exe	AV Security 2012v121.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3480-2-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/3480-9-0x0000000000400000-0x00000000008DD000-memory.dmp	upx
behavioral2/memory/3480-8-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/2216-12-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/2216-18-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/5100-20-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/5100-49-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/5100-52-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/5100-95-0x0000000000400000-0x00000000008E0000-memory.dmp	upx
behavioral2/memory/5100-106-0x0000000000400000-0x00000000008E0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV Security 2012v121.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5012	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3480	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
2216	AV Security 2012v121.exe
2216	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe
5100	AV Security 2012v121.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2216	3480	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	82
PID 3480 wrote to memory of 2216	3480	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	82
PID 3480 wrote to memory of 2216	3480	f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe	82
PID 2216 wrote to memory of 5100	2216	AV Security 2012v121.exe	83
PID 2216 wrote to memory of 5100	2216	AV Security 2012v121.exe	83
PID 2216 wrote to memory of 5100	2216	AV Security 2012v121.exe	83

C:\Users\Admin\AppData\Local\Temp\f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\SysWOW64\AV Security 2012v121.exe
  C:\Windows\system32\AV Security 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\f7ede4315ac864a6ee98609b1d5313d2_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Roaming\kIBtzP0yc1v3n4m\AV Security 2012v121.exe
    C:\Users\Admin\AppData\Roaming\kIBtzP0yc1v3n4m\AV Security 2012v121.exe 5985C:\Windows\SysWOW64\AV Security 2012v121.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
612B

MD5
a7cff810bf6f40400583cc3218aa5fa9

SHA1
19f4005343f4d1c96ba420073b987ff269c8c72e

SHA256
834aee241a81ac4011b40ec25b04c4d86b78c60d7ab052a211ba14707d2f6ab7

SHA512
c0d0f693458c5590b41388770d5812d1dfa7a089ca4434c17e31c0f1c8d4afd941eed3a44818625b84c992ea9f103ddf54e8079ae744b03d92c047d136c2891f

Download Submit
C:\Users\Admin\AppData\Roaming\ldr.ini

Filesize
1KB

MD5
224b6f7986357f5986d468f153cbd06b

SHA1
b3414880d03cbbb85dd06ede3605ad30edf8ccec

SHA256
86e22837dc2ddac84cd00ddbdfca0a4cb1dbd98abeacc8492875f3080b64820c

SHA512
1908a1c9a44db13d00d3d2f48f14380131cefaad324dd75241093572f617bd8dbc8e2fb63012f9a19358e4cd19e28488f578f10b6ead05c851f89160a56fef2e

Download Submit
C:\Windows\SysWOW64\AV Security 2012v121.exe

Filesize
1.8MB

MD5
f7ede4315ac864a6ee98609b1d5313d2

SHA1
637b597c6e1448c97980e081994aafdc4c3159ba

SHA256
5c6c6019283a22b8e2202d88a8d9ca6c4f87f3154945bb07a5db5b23071c9e53

SHA512
2552c0d8302fae497e3903f7946996dd971ace822392df60279c23a6cc05607c2743d23b7fc3c5af68ec97b81cb043e35d06d28683ed4b4b16e432268b84ef3f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7eab0ddcbf3cec31ec7731b53fdb09d0

SHA1
bd75e8a2e47b1153d901874b4ecaff0c1222d149

SHA256
a0c9a8935e73279c9a1891afdfa494667cad34cf55063ad912c00ef3706cb280

SHA512
aff2f2bfd15f2840e0939b8fd73fea30797394d9fe5d14d02c86df6fe2ee5d28dccdfc3838777b8678c7c8278d3ee286dca219d4344b8782bca52a6dd1e9f4ca

Download Submit
memory/2216-11-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2216-12-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/2216-18-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/3480-2-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/3480-9-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download
memory/3480-8-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/3480-1-0x0000000000400000-0x00000000008DD000-memory.dmp

Filesize
4.9MB

Download
memory/5100-20-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/5100-49-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/5100-52-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/5100-95-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/5100-106-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download