5d66f7c7c0b0c3dcddba9dd01ee553bd177e5a5d4f27960322603b044973d3c7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
Size

399KB
MD5

ff8576ae88dcaa9dd3d66f8490e49fe5
SHA1

a839a0016f7bf42f1c9227d3e6fcc489092bffe2
SHA256

5d66f7c7c0b0c3dcddba9dd01ee553bd177e5a5d4f27960322603b044973d3c7
SHA512

95ee0fb6c4ab7a13fb420cc20acdd485c2ee1b0d3929fc9d4a41f45a5bc8341e03d9378bc3ef00a665595f074621a20f17f0ec14fe3560e9d5f678f0dd2e8c5a
SSDEEP

6144:fbWbsX6j9UVsRNmq41V7FqSexNV8+hCGTr1e1Kxx9zxggB:6t9UVW4q4f7F67V8+hPcKxx9zfB

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2056	bL01300FcHoH01300.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	bL01300FcHoH01300.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bL01300FcHoH01300 = "C:\\ProgramData\\bL01300FcHoH01300\\bL01300FcHoH01300.exe"	bL01300FcHoH01300.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2928-1-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2928-2-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2928-80-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2928-82-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2928-106-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2056-108-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2056-109-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2056-184-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/2056-186-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bL01300FcHoH01300.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
Token: SeDebugPrivilege	2056	bL01300FcHoH01300.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2056	2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe	35
PID 2928 wrote to memory of 2056	2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe	35
PID 2928 wrote to memory of 2056	2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe	35
PID 2928 wrote to memory of 2056	2928	ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\ProgramData\bL01300FcHoH01300\bL01300FcHoH01300.exe
  "C:\ProgramData\bL01300FcHoH01300\bL01300FcHoH01300.exe" "C:\Users\Admin\AppData\Local\Temp\ff8576ae88dcaa9dd3d66f8490e49fe5_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bL01300FcHoH01300\bL01300FcHoH01300

Filesize
208B

MD5
3d2cd75e07a333490d8372cfb9a59df9

SHA1
32e47a35fc08fe5e2474a9cde42576f99136b012

SHA256
32213303a29106db24a05f833c79e2cbdf2466844f86dc00937ec590a83c72bf

SHA512
081effc477d7de4f5827a42c1d0d7af169c76bdae0cca0b89a844aa7e8a93dd37299f1ca9504d9cd8727982e6bf882924190bcdf93b15001a23f8c3edf861b45

Download Submit
\ProgramData\bL01300FcHoH01300\bL01300FcHoH01300.exe

Filesize
399KB

MD5
9b46f3661b62dbe08564f51c268baea9

SHA1
42ef74bce276e870468dc861edfe8abc0fcfab5a

SHA256
2934ca2271118587a012f57744ff57337f76d5f948baee796222a80b43873b26

SHA512
ad4922c954f59ef621c27c6775507af7021a71cb3cd47e09d784a1745676e57d52e2a25e3310ca7f6d16c63647b3cf495993734050f050b953dec1c414680754

Download Submit
memory/2056-108-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2056-107-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2056-109-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2056-184-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2056-186-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2928-80-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-82-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-2-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-106-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2928-0-0x0000000000270000-0x0000000000273000-memory.dmp

Filesize
12KB

Download
memory/2928-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download