2b49ca21dd645edd3d08709a68f205cc59bcc2a48b8b3ba49815fdceefbb1c4e

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe
Size

1.6MB
MD5

27fb410d5aa6711fdfb83052c703203f
SHA1

bd3a79886d13837d1643227356946befcd488eb9
SHA256

2b49ca21dd645edd3d08709a68f205cc59bcc2a48b8b3ba49815fdceefbb1c4e
SHA512

b9681f68136ad3b7b95663b810b062cf198dedc5bd50d679dbc5883ff5feab9561d630e5b43e2da0401dad233088d8a7a5cdd024f1f57ffbe27ace642741a692
SSDEEP

24576:JS91TM/9KwQXJZcTufYgwDUuLKzY9IfKhV98ROv1enKEUdx3WO3TOHM3ISjaa:JCCVRQX/cSFwDEY9jhV8UELUdxWcTF7

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000600000001739a-25.dat	acprotect

Loads dropped DLL 5 IoCs

pid	Process
2420	27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe
2420	27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe
2420	27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe
2420	27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe
2420	27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001739a-25.dat	upx
behavioral1/memory/2420-27-0x0000000000480000-0x00000000004BC000-memory.dmp	upx
behavioral1/memory/2420-102-0x0000000000480000-0x00000000004BC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27fb410d5aa6711fdfb83052c703203f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdA517.tmp\ioSpecial.ini

Filesize
637B

MD5
2202745c563faf107210219a336e94e4

SHA1
fc3a3b8e1d5973e099a57fd36aedf8f5f16e9093

SHA256
d3bb4770b0bac3d6506abdab9f9dfd894e5cbcb392492854179db884d3b6d522

SHA512
b6e212285b28302bd44415c8a9e0fd219e65f645e2cd5f0d2cac5f6d25f9b368b4a4b428267fb5e820cacf708708ffbec16164e78167cca26ef910d395d4d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA517.tmp\ioSpecial.ini

Filesize
676B

MD5
15440932d515ae03fb5bc40de4b18d4f

SHA1
3171ceb5ae36a94d2e2240b8a0343124e579d99d

SHA256
c15f493420329a0533ec5d8379ea9ed3c715bff6d50da3b96191e7e7ad0fedcc

SHA512
261175e6b6b870e834d886333c044f2c56d12fe29ecbbdf821cda9bc8f374212e6397ee58ce72b10c6ac159f5a3bc58721d4f3901c48a5d5fa653ac3b96b6e62

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA517.tmp\AdvSplash.dll

Filesize
6KB

MD5
13cc92f90a299f5b2b2f795d0d2e47dc

SHA1
aa69ead8520876d232c6ed96021a4825e79f542f

SHA256
eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

SHA512
ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA517.tmp\ButtonLinker.dll

Filesize
7KB

MD5
dd85ac7d85c92dd0e3cc17dfd4890f54

SHA1
a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa

SHA256
27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504

SHA512
e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA517.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA517.tmp\SkinH.dll

Filesize
84KB

MD5
a00c474dc4ced90b8f5a692108c45dce

SHA1
e02722d30a6218523e9ddef287817788a4a9b9fc

SHA256
6504e515cbcf89cb98fd9f1a310125bfdf93e1f6a6bf0c64c0229e5670cac9b1

SHA512
e81b001379f94fabb71f1d6a019b81202e00da7338048b77d1728b40427689a32801419377d3e86c51c5e418cc3ccc328ee00adc69eaa575267bcaac8f477abd

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA517.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2420-27-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2420-102-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download