3c4ff0e177a533320009993a981a518ca186fc33cac5b99ccad9d7d9631b5816

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
Size

2.6MB
MD5

24e7882f29cb3915c27491d3e5df82b0
SHA1

41c7097a2751f4f0b6af0eb9c4f0bcdfdfb18212
SHA256

3c4ff0e177a533320009993a981a518ca186fc33cac5b99ccad9d7d9631b5816
SHA512

f8e6d9859c5ea83bcb1b40fb7169fc6249378cd2bdd97adafa063a401dcb1e7fb2e53b1afcf2252dfefc53326b050a178426f6a8211db4fc3fd9d4dac0c67632
SSDEEP

49152:NMRWzjeL822+lKZqAg63HcFAXrPu0q9ay3:WwewB+HFIzzq93

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3860-0-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral2/files/0x000c000000023b3b-12.dat	upx
behavioral2/memory/2116-20-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3860	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3860	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
2116	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 2116	3860	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe	83
PID 3860 wrote to memory of 2116	3860	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe	83
PID 3860 wrote to memory of 2116	3860	24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24e7882f29cb3915c27491d3e5df82b0_JaffaCakes118.exe

Filesize
2.6MB

MD5
8b748715e6b4925607e952658eac8cfd

SHA1
ab266f4803c484ad496e6f7962708d0bb4dfb4a8

SHA256
5056a359b1df4a9876c838a9531fecb367f5e1a1c5a4130b1df27a6ac3dcd7db

SHA512
8132a4caa3be15524818da0801c0e465332e23a92b9655f740dd1b3ae492e5f6227ba762b2da19ebcaa95efb40151a8d6034e5a32c3def76373cb3d551903b6f

Download Submit
memory/2116-21-0x0000000002320000-0x000000000257A000-memory.dmp

Filesize
2.4MB

Download
memory/2116-20-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2116-29-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/3860-0-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/3860-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/3860-8-0x00000000023F0000-0x000000000264A000-memory.dmp

Filesize
2.4MB

Download
memory/3860-13-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download