9aee834ce65998e4770dba38e9e5589628ca7603a94568ee17df0cf3b43f1d0b

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe
Size

727KB
MD5

14f5f6f8da79e1eb2d347ce7bf178a79
SHA1

5bcb12bf9727b95f586a9acb73302c66b342a330
SHA256

9aee834ce65998e4770dba38e9e5589628ca7603a94568ee17df0cf3b43f1d0b
SHA512

f27ef555be62aa7b8a405923e49070fdfb99ad1ee338ab1cb71086f03b6b3b33b83ca55dbd735ec0060e5f330d4b61b4aa7a52e860df9141f6697e9a5da40892
SSDEEP

12288:KK2mhAMJ/cPlJyhfDnu/7Cl0iW9nBdgvmFyN58h7UZYE82Y5UKUL4n4y3Xp3SbSm:72O/GlEhfjuuOi0n3g47g6zwm4m53Sbv

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1940	DDZMM.exe
340	DDZMM.exe

Loads dropped DLL 2 IoCs

pid	Process
1784	WScript.exe
1940	DDZMM.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 340 set thread context of 1492	340	DDZMM.exe	33

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1492-1101-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/1492-1102-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/1492-1100-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/1492-1099-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDZMM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDZMM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1492	RegSvcs.exe
1492	RegSvcs.exe
1492	RegSvcs.exe
1492	RegSvcs.exe
1492	RegSvcs.exe
1492	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1784	2068	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1784	2068	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1784	2068	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1784	2068	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1784	2068	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1784	2068	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1784	2068	14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe	30
PID 1784 wrote to memory of 1940	1784	WScript.exe	31
PID 1784 wrote to memory of 1940	1784	WScript.exe	31
PID 1784 wrote to memory of 1940	1784	WScript.exe	31
PID 1784 wrote to memory of 1940	1784	WScript.exe	31
PID 1784 wrote to memory of 1940	1784	WScript.exe	31
PID 1784 wrote to memory of 1940	1784	WScript.exe	31
PID 1784 wrote to memory of 1940	1784	WScript.exe	31
PID 1940 wrote to memory of 340	1940	DDZMM.exe	32
PID 1940 wrote to memory of 340	1940	DDZMM.exe	32
PID 1940 wrote to memory of 340	1940	DDZMM.exe	32
PID 1940 wrote to memory of 340	1940	DDZMM.exe	32
PID 1940 wrote to memory of 340	1940	DDZMM.exe	32
PID 1940 wrote to memory of 340	1940	DDZMM.exe	32
PID 1940 wrote to memory of 340	1940	DDZMM.exe	32
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33
PID 340 wrote to memory of 1492	340	DDZMM.exe	33

C:\Users\Admin\AppData\Local\Temp\14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14f5f6f8da79e1eb2d347ce7bf178a79_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\EUBVE\3562.vbs" 7224
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\EUBVE\DDZMM.exe
    "C:\Users\Admin\EUBVE\DDZMM.exe" 884890.OBP
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\EUBVE\DDZMM.exe
      DDZMM.exe SBJELPWK.dat
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\EUBVE\101425.dat

Filesize
114KB

MD5
2a5d1649dddd0fcffbce3e5bbf0082d7

SHA1
5b12dadae0110bacf0debc3c54ad1522abe2429c

SHA256
042ccd0e0a5d2ebb28b6dfd6caffe85eaa5ac5e5bc6b782f1fbe431a79794d4a

SHA512
6baf7b6fec131261b04de14df12b61457eff3d3cb0d18ebbc268d6ee94dfe5042cee0776f0a9d7a9c28ab82b4f8c3cc5d76051eb4ecef790ae5cfc7000925d1e

Download Submit
C:\Users\Admin\EUBVE\3562.vbs

Filesize
56B

MD5
01d99670caabc800c4f835011a8a1126

SHA1
c7b9ae8996f368806918b6b6e33c3ccda50cd49d

SHA256
10ee16909940dbb8aa55dc91f0dfdd71aa434ef0277267e40959b83baa0ccbca

SHA512
70c188de77e4baec8046b39694455d88a63185a367b11bd0d8e829b37f805662e014e5ce569bd4d666c516ac71a235d3c5379f81a5c9a7a345659d71a7985567

Download Submit
C:\Users\Admin\EUBVE\414275.dat

Filesize
27KB

MD5
5a824c296f763eb11cb4efd8842636f9

SHA1
77962a93458d802a53bf2253f9a240255f799273

SHA256
15b2adb95ed7bf44c78e960beadc90c015c0d7407563c3f4c04206fa6a8b4a24

SHA512
db6c4072d39bbd87ca55261ed51aee92eeae38b02ba101b508ec908463a4108ffe7dbc37746133c94ec4f4a2bd81bfef5f37601df0752358edee840d1fe99b85

Download Submit
C:\Users\Admin\EUBVE\884890.OBP

Filesize
6.6MB

MD5
4d70b7bd7eba0692c98517147d5c8758

SHA1
75879c59a462b13eecec74152dfc2e536df934a0

SHA256
f414cd0eee5e15645213ad8950ca9c794f6ea4f409429e9b0e49996d84c7e263

SHA512
ec09be659543f20ab8891c075e5400346788f711f27b614c34d49b679ae22478ec316dd1b793b35d64453c1952d4f80eff17394dedba94aea0700023696dc4af

Download Submit
C:\Users\Admin\EUBVE\DDZMM.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\EUBVE\SBJELPWK.dat

Filesize
27KB

MD5
9c422c5ee0c4d94b187d19ff485c1932

SHA1
b33a571f69eb92502104acad0f7a347e75fa6ac3

SHA256
5c5b1f7b8fb4cdbbfe9fde0f088fc6d0fac5081f56886fb7be5f39d0010af010

SHA512
cfbee2404834e1eb86c17f325e96cffe84438c8651fa747373301df33b386ff355ef703c420e32524e43f0d4f7bfb287dbf4181b574f4ac3bdaf3468bd14dcde

Download Submit
C:\Users\Admin\EUBVE\settings.ini

Filesize
127KB

MD5
f48f370bcf13af048c7c0008500a836d

SHA1
0e78d91c19420fad79244f023134a38396d8c386

SHA256
3a3217b289ba767d2ed8ebbdcb876bc1fab9fc52d2b5932d8ac511fd9f7facd9

SHA512
eb94a147c962dd5d2ed7492ab99ccdb59bb7aac59cc9793111706117499e731de05a69cbd11d218b0737500b08942c5223fec06116b85f41f6a8995ce5780859

Download Submit
memory/1492-1101-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1492-1102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1492-1100-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1492-1099-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1492-1098-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1492-1097-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download