e42f9542a52809b7051da53de02a030b379086e4d3db2a7a25a02bb7e16c73c3

Analysis

max time kernel
85s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
Size

421KB
MD5

3e819feb5e4a8e3ef2eb56225dc91f1f
SHA1

2c14d385d53a8c2397107d289092a71122922efc
SHA256

e42f9542a52809b7051da53de02a030b379086e4d3db2a7a25a02bb7e16c73c3
SHA512

a4f78abb72be01ed01b6656ffac913d1a24c267de1ae02048f9ceafbdbc63fd9c564485efd04664939c3ba510b13b820155b93317a1e4d3f13463b37a2642b27
SSDEEP

6144:zKOVqacyLoJNOtGg4i+rKInNg7PqDK7tKQrICVIF7ul67oDE:zKwtL6NOtGgvyKqeUKHc9Fil67ow

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2660	Txeraa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1040-1-0x0000000000230000-0x000000000029B000-memory.dmp	upx
behavioral1/memory/1040-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/files/0x0007000000018b68-13.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Txeraa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
File created	C:\Windows\Txeraa.exe	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
File opened for modification	C:\Windows\Txeraa.exe	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Txeraa.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Txeraa.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	Txeraa.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe
2660	Txeraa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
2660	Txeraa.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2660	1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 2660	1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 2660	1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 2660	1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 2660	1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 2660	1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 2660	1040	3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e819feb5e4a8e3ef2eb56225dc91f1f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\Txeraa.exe
  C:\Windows\Txeraa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
0d4b2006ecb76e4df5ce6a862034903b

SHA1
b5c2bac74162c5143d48495d4651e4e7d1251de0

SHA256
f7dec4a8165fd9bc370fc05f0dc3e0a99febe4f7fa3aa2975ee5ce21d08d843b

SHA512
55f5b8b478b276b1593fddab302b24d53326b3019edf83db67471a3396585708f71b4f8d25f91be060704c73491b6e0cdc2e9244cabecdb24b968651a7142077

Download Submit
C:\Windows\Txeraa.exe

Filesize
421KB

MD5
3e819feb5e4a8e3ef2eb56225dc91f1f

SHA1
2c14d385d53a8c2397107d289092a71122922efc

SHA256
e42f9542a52809b7051da53de02a030b379086e4d3db2a7a25a02bb7e16c73c3

SHA512
a4f78abb72be01ed01b6656ffac913d1a24c267de1ae02048f9ceafbdbc63fd9c564485efd04664939c3ba510b13b820155b93317a1e4d3f13463b37a2642b27

Download Submit
memory/1040-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1040-2-0x0000000000230000-0x000000000029B000-memory.dmp

Filesize
428KB

Download
memory/1040-1-0x0000000000230000-0x000000000029B000-memory.dmp

Filesize
428KB

Download
memory/1040-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1040-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1040-113675-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1040-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-23293-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23267-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-22-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2660-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-23297-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-23288-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23283-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23278-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23276-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23272-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-21-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2660-23262-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23258-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23246-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23298-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-48259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-23268-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23252-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23248-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-23247-0x0000000001E50000-0x0000000001F50000-memory.dmp

Filesize
1024KB

Download
memory/2660-14-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download