19a229af10f95b05756f7eb39a7fd9259a7d934088c576d545a7bdcdd5a836a9

Analysis

max time kernel
135s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe
Size

37KB
MD5

0261bb600eb22fc06d59e9d1f9b3e74d
SHA1

640ac169f62d1210a8c72b23c400a4116c73b16f
SHA256

19a229af10f95b05756f7eb39a7fd9259a7d934088c576d545a7bdcdd5a836a9
SHA512

04c2c2971941e69244468416a283fa668b9e3d85a0f48b562c2be30afcf755a6c373b80267b01f616d574227534a453b88ef6ae5e9aa418295ffed1dd493c668
SSDEEP

768:Wm0et7ETDLVImRlp47WtoRB3TsyruprEupe0Ho5e/4+:WeoDmmRlIWu3THruREWeh5i4

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pecqal.sys	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\pecqal.sys	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FUkKsJ.dll	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FUkKsJ.dll	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\7bm1N1.bat	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1612-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1612-10-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2040	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2040	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 432	1612	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe	85
PID 1612 wrote to memory of 432	1612	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe	85
PID 1612 wrote to memory of 432	1612	0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe	85
PID 432 wrote to memory of 2040	432	cmd.exe	87
PID 432 wrote to memory of 2040	432	cmd.exe	87
PID 432 wrote to memory of 2040	432	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0261bb600eb22fc06d59e9d1f9b3e74d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\7bm1N1.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\7bm1N1.bat

Filesize
249B

MD5
677d941a58d2feb702a5de24b5e7f32f

SHA1
75f5941b55af7d142c82d3ed55178498b239aefa

SHA256
0efebd209c8ee2bb45997d9de8b8bcc91e99bb1b7506b1f38d9d6633d61f2ed5

SHA512
02efb75e7cd19e11c892fd60c3ffcd971e045653d86dd3ecc448ae0f9e835cfc326972ccd4ed35987d14f07f6330a42b8fa867da614f39e7463bf425bcd90807

Download Submit
memory/1612-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download