d9ea589dd2fb0728e4dafa519de051656c4fc4e220f44cf81640b00059b80b19

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 14:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Size

40KB
MD5

4058fb13c005d765d36710d0d955d4a0
SHA1

ef4841d0b6e694edaf5bb98b06ff85e8a6030375
SHA256

d9ea589dd2fb0728e4dafa519de051656c4fc4e220f44cf81640b00059b80b19
SHA512

5a9cf392ec6b923e70a64b62e026440a524bc7caee517b01d745e3b968007ab227f149c81084d49c4c8135608433e3e4eb6661b267f944981cb54d0606960ec9
SSDEEP

768:Q1BS/fpwqPy30M00sjfcaQO+xkZVln/ikgZ:Qkuc+WJfcAvH/fw

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016140-3.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2444	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\efc0c52cc1.dll	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016140-3.dat	upx
behavioral1/memory/2840-5-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/memory/2840-7-0x0000000010000000-0x0000000010010000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fOnts\PrZWDcWgjaE3SQyr.Ttf	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{028A997C-4262-4107-BD46-2ABBC6143E8C}	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{028A997C-4262-4107-BD46-2ABBC6143E8C}\InprocServer32	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{028A997C-4262-4107-BD46-2ABBC6143E8C}\InprocServer32\ = "C:\\Windows\\SysWow64\\efc0c52cc1.dll"	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{028A997C-4262-4107-BD46-2ABBC6143E8C}\InprocServer32\ThreadingModel = "Apartment"	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{028A997C-4262-4107-BD46-2ABBC6143E8C}\InprocServer32	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2444	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe	29
PID 2840 wrote to memory of 2444	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe	29
PID 2840 wrote to memory of 2444	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe	29
PID 2840 wrote to memory of 2444	2840	4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4058fb13c005d765d36710d0d955d4a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4058FB~1.EXE >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\efc0c52cc1.dll

Filesize
16KB

MD5
ad835a4b28bb33586f0ccf25bdd822e4

SHA1
736da6d6829a378ea48136ea434e862e5063a638

SHA256
a6710692dd556d9ff8c56f075f2fd8ecfe108c009baa4acf4e541d634b97e08f

SHA512
93410cf7f5d9d4eaf99e0359251e7cf251452b58a441d0e94ca4a18cb418b7c611193a6e665cb51b7ea5713c0f1d68adec850fb41363964507cdaebfcf5549ff

Download Submit
memory/2840-5-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2840-7-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download