c492af19278e8168320fcd0813cc57bb072e1123c18fc8b41ad470501a511ce2

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe
Size

336KB
MD5

280e919e17d0704692d6c2a13a22f849
SHA1

dd6b064fe12aa65de75edd852489583b482670cf
SHA256

c492af19278e8168320fcd0813cc57bb072e1123c18fc8b41ad470501a511ce2
SHA512

39d627ae16dfa15877d3f8b1278119a37a59cf919e80b3776ca17eea0676e89021369355087dbd4335168c0a2001a34075a63d79725908f40dd93a10c6c99479
SSDEEP

6144:595wkKlKY4/8CyGfjdP7HeXpIsYPfz+zfZ6mBzKSVrCIPXiSG:apeEIdD+isEazhtzL/Pi

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	BB25.tmp

Loads dropped DLL 3 IoCs

pid	Process
1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe
1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe
1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012268-9.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2328	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	28
PID 1548 wrote to memory of 2328	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	28
PID 1548 wrote to memory of 2328	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	28
PID 1548 wrote to memory of 2328	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	28
PID 1548 wrote to memory of 1536	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	29
PID 1548 wrote to memory of 1536	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	29
PID 1548 wrote to memory of 1536	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	29
PID 1548 wrote to memory of 1536	1548	280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\BB25.tmp
  C:\Users\Admin\AppData\Local\Temp\BB25.tmp
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\280e919e17d0704692d6c2a13a22f849_JaffaCakes118.exe" --cp "C:\Users\Admin\AppData\Local\Temp\BB35.tmp"
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB25.tmp

Filesize
272KB

MD5
69dc2ea45fd75ca7b1f993447a2fae69

SHA1
b2c1c13caca6f27a77c82417fc0e0419378d37e8

SHA256
f74e1c828a61330da70ef6faec922d09bab0a56556803592d99c3b557d2ea692

SHA512
5076f3ac607bf3ad38bc13d95348c6a4b797c0f717b64cc04de22172fbe57a7817c189b2a6971244f92a79318d86af983f5eb3d24c8836087008e45898bc4b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB35.tmp

Filesize
336KB

MD5
b09459d9cd8741353d78d35333cfdaee

SHA1
3c178d7114ef6f75299eaa31b36fcb1e08f8a64d

SHA256
45be887d47aa66a4f18e5b0307c2bb2742ff5ab06c42838c1eb1f1285b743312

SHA512
92e9853943cd0fbe4ee398fd884a7871a481db4d4a1b58852b268aa197ccf076f2af513b0c8b9121f8b8c4c30041a6c519dcd05d9a405dec7d34b45d08a72235

Download Submit
memory/1536-14-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1536-17-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1548-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1548-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1548-2-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2328-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2328-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download