e45b483a0aa176d186448b35c45de6e027087bea1fa79f003c49fe7e06282b26

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe
Size

4.3MB
MD5

3a807c2d16ec69437d4da710a7754159
SHA1

8103d72b998ee92c77a95fcfcc99dfa7efc26813
SHA256

e45b483a0aa176d186448b35c45de6e027087bea1fa79f003c49fe7e06282b26
SHA512

a280e9d7cae2c1e02254580b6ed46fe14a71011580f7798defddc989f53a376db000179627b8a6d13f2351628cd860a2e3f5575b1595c3d75a1018de818d835b
SSDEEP

98304:clDZSQwZp6+f76Jk406XuHZw5rcSGvHYobwzMVCBjOdAP:cltEHeq6XQMcS4jajOdAP

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3760	CFÍâ¹Ò.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c8b-6.dat	upx
behavioral2/memory/3760-7-0x0000000001000000-0x000000000135E000-memory.dmp	upx
behavioral2/memory/3760-10-0x0000000001000000-0x000000000135E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4356	3760	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CFÍâ¹Ò.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3452	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 1760	572	3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe	84
PID 572 wrote to memory of 1760	572	3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe	84
PID 572 wrote to memory of 1760	572	3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe	84
PID 572 wrote to memory of 1348	572	3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe	85
PID 572 wrote to memory of 1348	572	3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe	85
PID 572 wrote to memory of 1348	572	3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe	85
PID 1348 wrote to memory of 3760	1348	cmd.exe	88
PID 1348 wrote to memory of 3760	1348	cmd.exe	88
PID 1348 wrote to memory of 3760	1348	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a807c2d16ec69437d4da710a7754159_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\huigeziVersion2.0.rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\CFÍâ¹Ò.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\CFÍâ¹Ò.exe
    C:\Users\Admin\AppData\Local\Temp\\CFÍâ¹Ò.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 548
      4⤵
      Program crash
      PID:4356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 3760
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CFÍâ¹Ò.exe

Filesize
2.5MB

MD5
e75e6f248f75270bbe6d681f6255755b

SHA1
109ad4f2123d00888503491d0edbaa8e8318ff04

SHA256
f17ce96c3b846a0630ce0fcb005d719290e4e48ccc624de44395503d1276b48d

SHA512
b81a4718e3c4040d65d2353121857e943db3720811cec5158ba1582d6f21ad9d3a00ee593a573d31044a4502f039e87ef24ac5e62452777b93893cbabc97975d

Download Submit
C:\Users\Admin\AppData\Local\Temp\huigeziVersion2.0.rar

Filesize
1.7MB

MD5
669e0ce3d3eb1cacf7c6736344bd6f3e

SHA1
bff78869c94ef4baa35e460fc24c93640c36f2a5

SHA256
5e4ba0517b2b0449326b851cf9b32db6329f9f505481eaa651b0ae8f92261c34

SHA512
010686008c75dcda602d980207723bb89288ea68c17f5fb805aac82b308b0a023e9f3521c6e5a70e70d5efd5374a997465b030638d29522641c67f3ba2cfb189

Download Submit
memory/572-2-0x0000000000400000-0x000000000084B000-memory.dmp

Filesize
4.3MB

Download
memory/3760-7-0x0000000001000000-0x000000000135E000-memory.dmp

Filesize
3.4MB

Download
memory/3760-10-0x0000000001000000-0x000000000135E000-memory.dmp

Filesize
3.4MB

Download