aa9c7122f5e37786b95da4238c49ff105fa63ad2b68186978cdf2c1f8ecd564c

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe
Size

384KB
MD5

090a464c04fd9727530591bdc816cfbc
SHA1

571b4ed4ce1a296df6895ada4304c4955e7f7c75
SHA256

aa9c7122f5e37786b95da4238c49ff105fa63ad2b68186978cdf2c1f8ecd564c
SHA512

885bf9e5dc39ecdc79d4755d07d9dd5a84eaded645bc3f9b10b5afebe87f6643fa37b5ad67395583d9ded7c6c1830f15bb7037b603327045a4a343d4a65f5324
SSDEEP

6144:obLNDucG7dwcYRSU9PGmy8NsNSCfsiCnqjR3bBJzV2751MP:c5r2P1UzLNLCkPibHZ

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	eFm13400aBgCj13400.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	eFm13400aBgCj13400.exe

Loads dropped DLL 1 IoCs

pid	Process
2948	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eFm13400aBgCj13400 = "C:\\ProgramData\\eFm13400aBgCj13400\\eFm13400aBgCj13400.exe"	eFm13400aBgCj13400.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2948-1-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2948-13-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2772-16-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2772-25-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2772-34-0x0000000000400000-0x00000000004D7000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eFm13400aBgCj13400.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	eFm13400aBgCj13400.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe
Token: SeDebugPrivilege	2772	eFm13400aBgCj13400.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	eFm13400aBgCj13400.exe
2772	eFm13400aBgCj13400.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2772	2948	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2772	2948	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2772	2948	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2772	2948	090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\ProgramData\eFm13400aBgCj13400\eFm13400aBgCj13400.exe
  "C:\ProgramData\eFm13400aBgCj13400\eFm13400aBgCj13400.exe" "C:\Users\Admin\AppData\Local\Temp\090a464c04fd9727530591bdc816cfbc_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eFm13400aBgCj13400\eFm13400aBgCj13400

Filesize
192B

MD5
bfa0307a177fd5f43222d1ca7a8b36d0

SHA1
600fccab9d813adca9ee1cf347ad58546f7da2e7

SHA256
dbbab8104dd5fdf18119b0bdbc6ca040510112ab667ecba5198f090f01058cef

SHA512
459b2dab3019d45bc87c931a7f6fab74e3be8a79e08c0a43a0a330d01c8a9c18f333182fe9fabc7c77057ccb0ec3d86bafdeb4d0daed736dd8ca6612d4a58cb9

Download Submit
\ProgramData\eFm13400aBgCj13400\eFm13400aBgCj13400.exe

Filesize
384KB

MD5
090a464c04fd9727530591bdc816cfbc

SHA1
571b4ed4ce1a296df6895ada4304c4955e7f7c75

SHA256
aa9c7122f5e37786b95da4238c49ff105fa63ad2b68186978cdf2c1f8ecd564c

SHA512
885bf9e5dc39ecdc79d4755d07d9dd5a84eaded645bc3f9b10b5afebe87f6643fa37b5ad67395583d9ded7c6c1830f15bb7037b603327045a4a343d4a65f5324

Download Submit
memory/2772-16-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2772-25-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2772-34-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2948-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2948-13-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download