dc479c5d5816119ccaef17da84a1d151289bdcd16c895b29105cacf1b3c961ad

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe
Size

302KB
MD5

0304e293ce5079abf8be49cdce9715e7
SHA1

10288016fee0fcd5704d9170156a59ddd1679be6
SHA256

dc479c5d5816119ccaef17da84a1d151289bdcd16c895b29105cacf1b3c961ad
SHA512

177752fffb5641260070d05ee07cfa9990f3535bdb70482f5841921f661157a14e5700d9bb81d283381f494d085cf3b27043531fec3715b1c467c9801c8ea9b7
SSDEEP

3072:m3eT1QAjA8rscNOk1+Kex9WZxR0+llNcjRIOD4ggRrxry2viN8vz6te2miN+rQCZ:CeRHorCv69e0+PKPgRxr3eOWte1imQ

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1904	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1904	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4220-0-0x0000000000400000-0x00000000004E0000-memory.dmp	upx
behavioral2/files/0x000800000002341f-12.dat	upx
behavioral2/memory/1904-13-0x0000000000400000-0x00000000004E0000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4220	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4220	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe
1904	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1904	4220	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe	83
PID 4220 wrote to memory of 1904	4220	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe	83
PID 4220 wrote to memory of 1904	4220	0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0304e293ce5079abf8be49cdce9715e7_JaffaCakes118.exe

Filesize
302KB

MD5
ecc2917fe5233f2cca9bb2520f71006d

SHA1
de731fe0ff76d7f8c6d62503581c698086bba8ad

SHA256
0af3dc29d273accec0fbb3eb4384d48fe5074be8b5287348e718ad31d91b6c8f

SHA512
4123e305e5dd72ae2508b0f310c39ad588a3b76486d0bc847805b26aab97b50f39d7bd67c1563bab8976ce9e63596400f51f7174ec9459529d64abac156326e9

Download Submit
memory/1904-13-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1904-15-0x00000000014E0000-0x0000000001511000-memory.dmp

Filesize
196KB

Download
memory/1904-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-28-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4220-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4220-1-0x00000000015F0000-0x0000000001621000-memory.dmp

Filesize
196KB

Download
memory/4220-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download