d859751f4ec78541cb84fb87aaeec7648f7a8586c95f1f7d8ae7b1fdc42c6148

Analysis

max time kernel
140s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe
Size

182KB
MD5

fd205f5c3d554174f5866cd698285cba
SHA1

434adf83a08124b404078ae9c4ecbc83bec9550f
SHA256

d859751f4ec78541cb84fb87aaeec7648f7a8586c95f1f7d8ae7b1fdc42c6148
SHA512

7ff51f472d6cbf7658bb796066179f3f4626556e072eefdecfaad78c283ac74501a6f93d3c2b517df73a777ff3d8999c4c732caa532bea30976ad4d86faf7855
SSDEEP

3072:fb0neJG/Ng/TYBrNNKkPE7sVv2ivEOes5wKg2gZGfufHBSgE11L:fkeU/Ng/WmsJfET9Ox

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4672-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3336-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3336-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4672-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4672-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/memory/1592-122-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4672-293-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 3336	4672	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe	82
PID 4672 wrote to memory of 3336	4672	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe	82
PID 4672 wrote to memory of 3336	4672	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe	82
PID 4672 wrote to memory of 1592	4672	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe	83
PID 4672 wrote to memory of 1592	4672	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe	83
PID 4672 wrote to memory of 1592	4672	fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe startC:\Program Files (x86)\LP\489F\E67.exe%C:\Program Files (x86)\LP\489F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3336
- C:\Users\Admin\AppData\Local\Temp\fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd205f5c3d554174f5866cd698285cba_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\FF04C\3D648.exe%C:\Users\Admin\AppData\Roaming\FF04C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FF04C\CCCC.F04

Filesize
996B

MD5
fb4ac5c2dbbfcb28b440770fa5d23b8e

SHA1
bc4ce0bcb3246f6dbacdaf4a1fd831d165d8cd72

SHA256
56d753732555bf27a56c7c41af5a3b3c9d467a1eb184b2f49527f6b937018ac3

SHA512
d1d6f9427c7ab690788c15d3f44f13a4722babd7f97fdfe47fd06b5346bcb81e9127a114c591fcea5b50bd982d36bb31ddcb38905e7ef7a64920b39bf031d351

Download Submit
C:\Users\Admin\AppData\Roaming\FF04C\CCCC.F04

Filesize
600B

MD5
09bdfc27652dde2e76247fc7bbb8fd64

SHA1
ec85c9c821f99810b8afbe5947e09808a4f6342e

SHA256
503f8379a5451207f6418f56d0aad3c106fd97edf1278dde0b6ca045a8cec4c3

SHA512
6213f83a29d7182484c4de59a275d8b47238319173150eb0ec48d727d535ab8242bcacaf56d8e717184114042a613862f5dbf8702a7c7c46205f924e257a8abe

Download Submit
C:\Users\Admin\AppData\Roaming\FF04C\CCCC.F04

Filesize
1KB

MD5
1be2b869801b6a5842b67452a65b4fa7

SHA1
fb66a7b50ad21091bb4fed8d141dd0c64daf6178

SHA256
9379b56e9aaa603eefc94e6fbad9c3422788d6f98dc374ef351142416c43aff4

SHA512
d94b0cda04eded7ac6fa47bd49a6773f43d76651d38e5e38939f05cb0cac81dff8ff3ff200cc2f451c0f79bbcb152b7fa6da9dfa1ed2d7ecff4f9398bca99ce8

Download Submit
memory/1592-122-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3336-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3336-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4672-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4672-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4672-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4672-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4672-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4672-293-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download