eb13885fff8504e93a9bfc897d5a8f1ea306a0bf413754160cef74987ace3b0a

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c87171f1103457a273925a05a526fde_JaffaCakes118.exe
Size

25KB
MD5

0c87171f1103457a273925a05a526fde
SHA1

fe3804c16ddb11f66a095f9aed6765066dc1b1fd
SHA256

eb13885fff8504e93a9bfc897d5a8f1ea306a0bf413754160cef74987ace3b0a
SHA512

0416fa9a676a8bebf4b2ad16a60412912573bc52712df797a0256ee8f7859eb163b2ac52e51573d5d82b940208a3eaa339dffaea0f77e051bf69e8efb452b902
SSDEEP

768:83aokj3/mDOdniAgyGpSfLLjb89XWFJ4:8qr3/9diAcMDooj

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4600	system32uninstallneo1.exe
3704	system32uninstallneo2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2032-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2032-10-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32uninstallneo1.exe	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe
File created	C:\Windows\system32uninstallneo2.exe	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32uninstallneo1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32uninstallneo2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4600	system32uninstallneo1.exe
4600	system32uninstallneo1.exe
3704	system32uninstallneo2.exe
3704	system32uninstallneo2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4600	2032	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe	82
PID 2032 wrote to memory of 4600	2032	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe	82
PID 2032 wrote to memory of 4600	2032	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe	82
PID 2032 wrote to memory of 3704	2032	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe	83
PID 2032 wrote to memory of 3704	2032	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe	83
PID 2032 wrote to memory of 3704	2032	0c87171f1103457a273925a05a526fde_JaffaCakes118.exe	83
PID 4600 wrote to memory of 2312	4600	system32uninstallneo1.exe	84
PID 4600 wrote to memory of 2312	4600	system32uninstallneo1.exe	84
PID 4600 wrote to memory of 2312	4600	system32uninstallneo1.exe	84

C:\Users\Admin\AppData\Local\Temp\0c87171f1103457a273925a05a526fde_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c87171f1103457a273925a05a526fde_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32uninstallneo1.exe
  C:\Windows\system32uninstallneo1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s /u C:\Windows\system32\mshelper.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Windows\system32uninstallneo2.exe
  C:\Windows\system32uninstallneo2.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32uninstallneo1.exe

Filesize
40KB

MD5
7aefaf46dbf5f8c2acec1c61a15a375e

SHA1
2fcb9b101960b966b1906a56b841caec3c8cc517

SHA256
360d2099b0c6a2b4e3110f13e87486434e90375156084722cf9cb45782a8245f

SHA512
7c3b66dcb70d18fbbc91bdc5dcc25898311d4b74a8cbebdf9e74bd510e59a4dc28fac8fb9981425c68b6719658074aa0e68bd38e9d0e6a7f6e369745e56abb0f

Download Submit
C:\Windows\system32uninstallneo2.exe

Filesize
40KB

MD5
8a6270ab91e6977161d49833b810a0e1

SHA1
3011b79aa2ffffe8002a9dff32ced3fe9f0ed342

SHA256
e504a06166a66ad51d727ff198be12e0e0db783f9e88bf0646acfad582423f4c

SHA512
b6bb7ff95e3058580c1a99c53d0151c4613b802a4979c2c5165d8c4e0f711044fc5e2d7a7b3890414715e8f4c009f158d89546df4e491270b6f0c80436d5a0e2

Download Submit
memory/2032-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2032-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download