c4a523fb9b79be1bd9526e21dba24ed95c801ee870a83cdbfae09ce01d8dee24

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Size

571KB
MD5

093a5c005f6429a998d3f93966b8282a
SHA1

7f1388376ffbaa292d1483c698e40e6f7d49a017
SHA256

c4a523fb9b79be1bd9526e21dba24ed95c801ee870a83cdbfae09ce01d8dee24
SHA512

07460553a3c9c08f248daedcaff5a31dae46eaa89e4b68256902b05dc89b1f7a2d8b79b0e85e910e8fdc824ab7f4f46e794aba49b91f8ebcce401f216a9e9783
SSDEEP

6144:F2QI5z04UUEv0L/f3UQktMa0r5pO1b2Cv+O1XQjT6l5ApI5KWi0SginwAncsmnpY:FPQzbRW2DqP6q1bLCWS+/xVAncs2paj

Score

6^/10

discovery upx

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2920-0-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-177-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-178-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-179-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-180-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-181-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-182-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-183-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-184-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-185-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-186-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-187-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-188-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-189-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-190-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral1/memory/2920-191-0x0000000000400000-0x00000000005A0000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2920	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
2920	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
858B

MD5
383281d2215901714531382b2d6ad83e

SHA1
1a7e39741c3b99d299787007ebaed0d6cec33c54

SHA256
b87b2b80819d7bf74e9a27ad787f972614334ca483204f2fc5231449c950b598

SHA512
e31f968e40aeeb1f0f1ef97c62e478cf139aeb17422b76f44e57be133bb90613a70443829934ea6e61a258c1d60ad83cf5b0039b8c43e5e97bb8e0d51ae3a678

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
19B

MD5
e9ddad736058215d31f40268c138a6eb

SHA1
e42334d1ec6d945182c5f34655797055961baf6a

SHA256
5e00f18d2b81682d061777d4ff5bbbb725fccd944bb7aad96a078e7c6d5428dc

SHA512
da04f830b9d653fac78642d6969f842a008bc1d06efc4c29c696fc128c61dacf94b12b33e1e9f95da31c2dc3797e319e20e5eaf6f843dcf26a9302bcad1398f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
61B

MD5
571b6f0f63767a20fa00ddf4bd6c2914

SHA1
841d2b908492049e301763f00996647b40392fa7

SHA256
84d89b8ed6682948964670f3017bd6d81173c424b79071e31bbd46cadcddff89

SHA512
d18fcf8d8cb469bae0b977eb55e9d67c24d3934df33a106c017922ac4cfafda23fb83e3ebf2bacb49e8040fea2290d6b9b39dec99c9e413984f38a9971c3b031

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
716B

MD5
19e0fccbaddbf835cf9a9fcaa8ff5d52

SHA1
35a51a4a85e79a9365e7a514efc91345bb0b375f

SHA256
f9132a11e4aab27f5005ac0fc905e9ed023759f8614da3c6568fbbbb5d28bf57

SHA512
5a3432e34edab35b645d28f53f02350894b275f0e64fc8a20be368d726720bb4b2354cee3445e586804001395eee28afaa292712913b171117e851a1422910f7

Download Submit
memory/2920-181-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-177-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-178-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-179-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-180-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-0-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-182-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-183-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-184-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-185-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-186-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-187-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-188-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-189-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-190-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2920-191-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download