f92fdf2f4b0e767251e2d940b640365b70e8b117ceafb37280d8af18b0a73065

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe
Size

473KB
MD5

fbef48315232d1b8da0e97bf13d44ae1
SHA1

801c314d2008d7e1604c00c7215c68e54c6d1040
SHA256

f92fdf2f4b0e767251e2d940b640365b70e8b117ceafb37280d8af18b0a73065
SHA512

64d91c2ee7e91277054a1344a57e0ef140b116e857694013e18c2be9cfa21ad72f7fe58853b689c8f07b2f79c2d54235d291902fdbdd282d8adc6be35da12461
SSDEEP

12288:yEs/k5VZI19Una4PNZDRCK78woIvh0Nj9YEsM2ZQm150dboS:yEssXWYa4PXDp78XIqN2RMwJu

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2908	jO28621ApCmP28621.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	jO28621ApCmP28621.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jO28621ApCmP28621 = "C:\\ProgramData\\jO28621ApCmP28621\\jO28621ApCmP28621.exe"	jO28621ApCmP28621.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2096-0-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2096-3-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/files/0x0007000000018687-12.dat	upx
behavioral1/memory/2908-17-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2908-18-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2096-16-0x00000000024F0000-0x00000000025BC000-memory.dmp	upx
behavioral1/memory/2096-22-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral1/memory/2908-21-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2096-20-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2908-31-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2908-41-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jO28621ApCmP28621.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	jO28621ApCmP28621.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe
Token: SeDebugPrivilege	2908	jO28621ApCmP28621.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	jO28621ApCmP28621.exe
2908	jO28621ApCmP28621.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2908	2096	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2908	2096	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2908	2096	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2908	2096	fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\ProgramData\jO28621ApCmP28621\jO28621ApCmP28621.exe
  "C:\ProgramData\jO28621ApCmP28621\jO28621ApCmP28621.exe" "C:\Users\Admin\AppData\Local\Temp\fbef48315232d1b8da0e97bf13d44ae1_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jO28621ApCmP28621\jO28621ApCmP28621

Filesize
192B

MD5
945277fefab0b887f418f8908137bf1d

SHA1
93e603a6d8f624b953de0cae5ce7cf17e4496d46

SHA256
1a956cbcea8ee2cbbeaf106976e84633cfe7e5459f09b23c1967c2a154872180

SHA512
b134d68882289ed952d37b55ea07f3eb33eaaabfc8b7f6477a4a3e6a73e53e08bd6d2df09cef1f324941b649bb169550558138fcb95f45a29a05ee6462bcdad6

Download Submit
\ProgramData\jO28621ApCmP28621\jO28621ApCmP28621.exe

Filesize
473KB

MD5
ce392f6635c971710361cf10c0100084

SHA1
1f139a60df25c8f861362473b01cce8bf0aa2598

SHA256
f4d97fe6697f4e712c632ccdbd285c79bf8a0645c6bcc89d8ec825c51a0eb480

SHA512
f395304ad92e2ff5751cfb4e6f8a0b6dfdc70bd6e3bd8589964d4275596bca766217c1b05395690d9f692271d01cae94321f44ef89468cb9f46ebca8817be088

Download Submit
memory/2096-3-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2096-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2096-1-0x0000000000280000-0x0000000000325000-memory.dmp

Filesize
660KB

Download
memory/2096-16-0x00000000024F0000-0x00000000025BC000-memory.dmp

Filesize
816KB

Download
memory/2096-22-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2096-2-0x00000000005D0000-0x0000000000623000-memory.dmp

Filesize
332KB

Download
memory/2096-20-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2908-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2908-18-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2908-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2908-31-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2908-41-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download