1988db582ead736b617e8ffa360baa905b8ed8ace1f3ef4eb9af7dfb78ebfc49

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe
Size

394KB
MD5

31183a0930ddbe6ca5a8e022b688fa44
SHA1

b481d21d7236533dcb7851a4aa55fa291bdc9323
SHA256

1988db582ead736b617e8ffa360baa905b8ed8ace1f3ef4eb9af7dfb78ebfc49
SHA512

f878e98ba6d8712539d49748cce5a08fd74969729cce7b8846f8d090b2a23b085ea8bd8326922d417ffd30efe0d36d70124e76114abf83146e7b0f35d88e03f2
SSDEEP

3072:q5cs2qmopA1xXbcZHcAxBf5WNe4fa7Zfca9HoBwKcWOojllM6doXJrB0THG1onXz:q/npA1BQ9DJZfca9HqCl6giRnGYgPvnY

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	~GM9666.exe

Loads dropped DLL 8 IoCs

pid	Process
2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe
2676	~GM9666.exe
2676	~GM9666.exe
2676	~GM9666.exe
2676	~GM9666.exe
2676	~GM9666.exe
2676	~GM9666.exe
2676	~GM9666.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001662e-1.dat	upx
behavioral1/memory/2676-6-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2676-11-0x0000000000240000-0x000000000027A000-memory.dmp	upx
behavioral1/memory/2676-247-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~GM9666.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	~GM9666.exe
2676	~GM9666.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	~GM9666.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2676	~GM9666.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2676	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2676	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2676	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2676	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2676	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2676	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2676	2032	31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31183a0930ddbe6ca5a8e022b688fa44_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\~GM9666.exe
  "C:\Users\Admin\AppData\Local\Temp\~GM9666.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy96F4.tmp\XDict.ini

Filesize
1KB

MD5
1a55310e762bd1ce89374fb294e17ea6

SHA1
9266bc3632c641af6651b1db9e94016026ddcbc7

SHA256
c77a1b32861ad6f9b2173e72520709d759da1cd4f0dd1f8b9b79e82ba928e0f3

SHA512
cf58fb71ac10ef86f9702ce69ecab24a0778fe9509bbd41dcffc13648936f9894232c142e92a839e7a2c942587fdfc88f85c86c0532edba4523d29edf14b836f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy96F4.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy96F4.tmp\InstallOptions.dll

Filesize
15KB

MD5
9a886711c559308c39c01c20e9d9a1e3

SHA1
0f27cf1cf6e4960e140651b68d72ed4b92c58e9e

SHA256
98be8860d38ad9cf31b55a1a04594de59eabad67510ba2a33ed20a80863ddfa4

SHA512
4dabdd9ea7a8330a367589a3975a9dc7286b82c66efc7db118b4d7a2db08a467851c6d3dc991668e13c4dd5473aa974e9696a2226039db94df8b198da54354a3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy96F4.tmp\System.dll

Filesize
10KB

MD5
2b54369538b0fb45e1bb9f49f71ce2db

SHA1
c20df42fda5854329e23826ba8f2015f506f7b92

SHA256
761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f

SHA512
25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy96F4.tmp\waterctrl.dll

Filesize
16KB

MD5
aefd35a23680fda066a05e4b5f6dc88e

SHA1
8278021d560722701c1f3b91b85ed96bf34bed0c

SHA256
bbc65291a3bcfb6559c391e251bca12d6b935a8a8de0825443642aa2b5e39e78

SHA512
7ac32589e0bf8889e36184058e1f2ae0a0b6c701188ed18fbaf5b45afcff06eecb760d29e342953d50091fb14ef2ee8fb3285a1ec2c1dadec3ecea18fcfe56a2

Download Submit
\Users\Admin\AppData\Local\Temp\~GM9666.exe

Filesize
83KB

MD5
2b14246d7a67f37a586b58aa3129897e

SHA1
70ce6759240112e72ab4f5fc5f9b943b0d77e4bc

SHA256
294c4c11e163ff3e2cb70d472da379a357443a1c8867eafa2de9cf65d8091f21

SHA512
3ace76f9e77f1fbfabbe92ea0c01f85db9332150a22d81637e1e6dd795c13b685954ecb34891b5ad84dd258dfa1b9d2624b581894fba51b83732e156443184f6

Download Submit
memory/2032-246-0x0000000000AB0000-0x0000000000AEA000-memory.dmp

Filesize
232KB

Download
memory/2032-5-0x0000000000AB0000-0x0000000000AEA000-memory.dmp

Filesize
232KB

Download
memory/2676-12-0x0000000000240000-0x000000000027A000-memory.dmp

Filesize
232KB

Download
memory/2676-21-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2676-11-0x0000000000240000-0x000000000027A000-memory.dmp

Filesize
232KB

Download
memory/2676-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2676-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2676-256-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download