4da01fd8979053bb9e1834934af4e5b370c8b2a1625ebb3ed6fff9d67a794c79

Analysis

max time kernel
41s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
Size

2.1MB
MD5

034c8a5203d8613b6e6f613080e3e34f
SHA1

4f39fb7d601ab198910854d61344002f29cdf652
SHA256

4da01fd8979053bb9e1834934af4e5b370c8b2a1625ebb3ed6fff9d67a794c79
SHA512

48901b3fdc577ee429f5b7961b6d81379a1dc80c059cd1af87905ebe4caa59fb555d05ce28656db2a1f2b08501e3e5af0324819ae7aed59e5afa0b2e02a48957
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRq:352T3siXei5bcmP9JfUjW

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000018fc2-6.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
824	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers32\Train Simulator II No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Direct Connect 1.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Microangelo 6.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Freedom - Soldiers of Liberty No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Winamp 3.x Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\PhotoShow 2.x Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Civilization III - Conquest No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\EverQuest 2 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Shrek II No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Knights of the Temple Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\UT 2004 No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Railroad Tycoon III Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Command & Conquer Generals No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior IV No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake 3 No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2004 No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Unreal Tournament 2004 No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.4 Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.00b Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Command & Conquer Generals Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\EverQuest 2 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior III Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft III Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Lords of EverQuest No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Microangelo 5.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Midtown Madness II Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 8.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\RealOne Player 2.0 Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Praetorians Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Flight Simulator - Century of Flight No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Lord of the Rings - War of the Ring No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\PhotoShow 2.0 Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity IV Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Madden NFL 2004 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Halo No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lord of the Rings - The Two Towers No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Download Accelerator Plus 5.3 Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\ACDSee 2.4.x Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NetPumper 1.03 Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\PhotoShow 2.0 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Tony Hawks Pro Skater 4 No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Raven Shield No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Railroad Tycoon III No-Cd Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinAce 2.x Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinRAR 3.12 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 5.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior IV Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 8.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\CloneCD 5.0 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Kings of War Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness 3 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Shrek 2 Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\Thief III Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers32\GeoWhere 2.x Serial Generator.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DAP Plus 5.3 Crack.exe	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 824	1972	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe	29
PID 1972 wrote to memory of 824	1972	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe	29
PID 1972 wrote to memory of 824	1972	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe	29
PID 1972 wrote to memory of 824	1972	034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\034c8a5203d8613b6e6f613080e3e34f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\$$$$$.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$$$$$.bat

Filesize
228B

MD5
c5a5dc72912191da47fdb24d1f7ac6a6

SHA1
a564b61b2b2b500a991e49253e20499e6298d993

SHA256
104240c6cc9b0f87aecbb3cb91de226cfdec20a7a45b122540ba0ffce9e6e153

SHA512
0e8fbae0c6d4decda551fc015ef64965d09af7d1c9a36646a6eb719cd7828bb70303b985a35592186de472f32d8e6ac15b2b295c29e4a596377491c943e32495

Download Submit
C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe

Filesize
2.1MB

MD5
034c8a5203d8613b6e6f613080e3e34f

SHA1
4f39fb7d601ab198910854d61344002f29cdf652

SHA256
4da01fd8979053bb9e1834934af4e5b370c8b2a1625ebb3ed6fff9d67a794c79

SHA512
48901b3fdc577ee429f5b7961b6d81379a1dc80c059cd1af87905ebe4caa59fb555d05ce28656db2a1f2b08501e3e5af0324819ae7aed59e5afa0b2e02a48957

Download Submit
memory/1972-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-426-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-826-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads