2a949cc908b0dac549d783420a76ca50869c3b0185f6b21e4fa137f5d947e0b5

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
Size

1.1MB
MD5

066a97c6a6f7ea46321e84e70751d3ca
SHA1

74d1d7c817e53aa0e056710e9cfb704382c3dd9f
SHA256

2a949cc908b0dac549d783420a76ca50869c3b0185f6b21e4fa137f5d947e0b5
SHA512

2eac5e67e19d94ca60e0c48f9a2fcab7b26b33b4f05dc48bab4f92df3b5bb04fdc2553b37bdba3fbc87df8bcd05aed75935f14d1027b88241a8491bf4dc9767f
SSDEEP

24576:Oh2Ay7zC0jp6ijdU6vmbstPcmVxA2Xgo/epDRWXA:Oh2AAzC0dxuA6EAGRI4XA

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000016de4-17.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016de4-17.dat	upx
behavioral1/memory/2980-19-0x0000000003F50000-0x0000000003F8D000-memory.dmp	upx
behavioral1/memory/2980-25-0x0000000003F50000-0x0000000003F8D000-memory.dmp	upx
behavioral1/memory/2980-23-0x0000000003F50000-0x0000000003F8D000-memory.dmp	upx
behavioral1/memory/2980-26-0x0000000003F50000-0x0000000003F8D000-memory.dmp	upx
behavioral1/memory/2980-22-0x0000000003F50000-0x0000000003F8D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
2980	066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\066a97c6a6f7ea46321e84e70751d3ca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
4c9e8f81bf741a61915d0d4fc49d595e

SHA1
d033008b3a0e5d3fc8876e0423ee5509ecb3897c

SHA256
951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129

SHA512
cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
192KB

MD5
da1a51dd8b90bd7a62be23fa2378890d

SHA1
f76e88bea78eee91a8043bc4e544d9b6576a6f57

SHA256
97f3594e4e2f5f94f76fca0a997aa24a4868f0e27047facb322097df92358fa7

SHA512
716987136f1dee6a7587ac07fb9a5568fb054ea122059fc29ea687cb42806959580ddebe506d4b672a890f7bf1211d03d8868bf3153f07aa476acf0754876b3a

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
408353f496c083cb4cac452021585158

SHA1
fefaa32a8b5ea298dcd25510aa61c8337114f736

SHA256
e97a379ee8056fd26872a37f8d401dc8b96bbbb692e8dae262548aa4f1971b3b

SHA512
97a243ccea6f5c62969c7e0d01f0d128686bb6d0d3275ab2f57d8f1cefda24a1b4ad51e42133f2f8b7edde4c9e7612e4b2548275df3daccca96fca42f0137e58

Download Submit
memory/2980-25-0x0000000003F50000-0x0000000003F8D000-memory.dmp

Filesize
244KB

Download
memory/2980-19-0x0000000003F50000-0x0000000003F8D000-memory.dmp

Filesize
244KB

Download
memory/2980-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2980-23-0x0000000003F50000-0x0000000003F8D000-memory.dmp

Filesize
244KB

Download
memory/2980-26-0x0000000003F50000-0x0000000003F8D000-memory.dmp

Filesize
244KB

Download
memory/2980-22-0x0000000003F50000-0x0000000003F8D000-memory.dmp

Filesize
244KB

Download
memory/2980-21-0x0000000003F59000-0x0000000003F5A000-memory.dmp

Filesize
4KB

Download
memory/2980-12-0x0000000000350000-0x0000000000388000-memory.dmp

Filesize
224KB

Download
memory/2980-41-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download