c4a523fb9b79be1bd9526e21dba24ed95c801ee870a83cdbfae09ce01d8dee24

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Size

571KB
MD5

093a5c005f6429a998d3f93966b8282a
SHA1

7f1388376ffbaa292d1483c698e40e6f7d49a017
SHA256

c4a523fb9b79be1bd9526e21dba24ed95c801ee870a83cdbfae09ce01d8dee24
SHA512

07460553a3c9c08f248daedcaff5a31dae46eaa89e4b68256902b05dc89b1f7a2d8b79b0e85e910e8fdc824ab7f4f46e794aba49b91f8ebcce401f216a9e9783
SSDEEP

6144:F2QI5z04UUEv0L/f3UQktMa0r5pO1b2Cv+O1XQjT6l5ApI5KWi0SginwAncsmnpY:FPQzbRW2DqP6q1bLCWS+/xVAncs2paj

Score

6^/10

discovery upx

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4756-0-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-177-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-178-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-179-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-180-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-181-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-182-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-183-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-184-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-185-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-186-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-187-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-188-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-189-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-190-0x0000000000400000-0x00000000005A0000-memory.dmp	upx
behavioral2/memory/4756-191-0x0000000000400000-0x00000000005A0000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\users\\admin\\appdata\\local\\temp\\093a5c005f6429a998d3f93966b8282a_jaffacakes118.exe\""	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4756	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
4756	093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\093a5c005f6429a998d3f93966b8282a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
858B

MD5
383281d2215901714531382b2d6ad83e

SHA1
1a7e39741c3b99d299787007ebaed0d6cec33c54

SHA256
b87b2b80819d7bf74e9a27ad787f972614334ca483204f2fc5231449c950b598

SHA512
e31f968e40aeeb1f0f1ef97c62e478cf139aeb17422b76f44e57be133bb90613a70443829934ea6e61a258c1d60ad83cf5b0039b8c43e5e97bb8e0d51ae3a678

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
898B

MD5
ad4aaa7f9870d7a7e99a7e5a9394baa4

SHA1
0d79e791f42182fc11445f1312fbe3f4c88d8494

SHA256
a2db9bb2c5cefa064dad6638bfecee4229d8eb17129ba349ba019399dd11f5a2

SHA512
e7b9574cba89d9ffd7ed02fc6c3ee043020165ddfb0519fd30c79403caa09982a03b5b35cbdeb27d315ff1887fa26c237cfa64d3e4c882c229c4c80a65da7440

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
716B

MD5
19e0fccbaddbf835cf9a9fcaa8ff5d52

SHA1
35a51a4a85e79a9365e7a514efc91345bb0b375f

SHA256
f9132a11e4aab27f5005ac0fc905e9ed023759f8614da3c6568fbbbb5d28bf57

SHA512
5a3432e34edab35b645d28f53f02350894b275f0e64fc8a20be368d726720bb4b2354cee3445e586804001395eee28afaa292712913b171117e851a1422910f7

Download Submit
memory/4756-181-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-177-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-178-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-179-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-180-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-0-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-182-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-183-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-184-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-185-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-186-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-187-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-188-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-189-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-190-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/4756-191-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download