a9cdc7b144f32c393293711477bab44615ab5538673ecb3070fb93e99d796cd5

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe
Size

8KB
MD5

416c02fe51b59ffde9d9708e4067d5cb
SHA1

c9294482f2a86d2aca373d0e4a0b474a078cf53d
SHA256

a9cdc7b144f32c393293711477bab44615ab5538673ecb3070fb93e99d796cd5
SHA512

74c6be7f2c78189db23df6deb8f0cf655871d7d11455a7ba2bcfd08621a3e165cc580a5aea28b9bf9d14e4959c7cfc4a1331d507691263f28db211ee49c4021c
SSDEEP

192:AmEblnotCc8h8ngOJkduAm63uK4O2wsFaNJhLkwcud2DH9VwGfct/fLi:AdBotCc8hdkiTeFaNJawcudoD7Udu

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
792	416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe
792	416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/792-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/792-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2360	792	416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe	31
PID 792 wrote to memory of 2360	792	416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe	31
PID 792 wrote to memory of 2360	792	416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe	31
PID 792 wrote to memory of 2360	792	416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2164	2360	b2e.exe	32
PID 2360 wrote to memory of 2164	2360	b2e.exe	32
PID 2360 wrote to memory of 2164	2360	b2e.exe	32
PID 2360 wrote to memory of 2164	2360	b2e.exe	32
PID 2164 wrote to memory of 2788	2164	cmd.exe	34
PID 2164 wrote to memory of 2788	2164	cmd.exe	34
PID 2164 wrote to memory of 2788	2164	cmd.exe	34
PID 2164 wrote to memory of 2788	2164	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\E743.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\E743.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\E743.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\416c02fe51b59ffde9d9708e4067d5cb_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\E7A1.tmp\batchfile.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E7A1.tmp\batchfile.bat

Filesize
631B

MD5
2684552359e574ada6a43cb29efd6bf1

SHA1
4f646f04fb2a748475d1120fa8a9c2c5f9b3ee83

SHA256
00365e70bacfc06212d17bea2b1b319faff14aa7727a9a71c6b50ee6cf8b9b34

SHA512
e8e8f169be24e81e7dd1db5cbcadc0fa19636895bff0f9d02fa7e9fd3de1d4c54d1019a5972d1570c255120eaf0fb1c221b4579d838c8688c57ab8508f42b7f5

Download Submit
\Users\Admin\AppData\Local\Temp\E743.tmp\b2e.exe

Filesize
9KB

MD5
d2781bdfcb70546bc6318679f688ac21

SHA1
d64a760792af249a13524ae360c864c044d32b4a

SHA256
d232949d7446629bad37e76bfc10affdb6421a068f5d70669e04dd2c8d89cbea

SHA512
98fbeb5f1c211f8a0ce8ea9931c97230480f74612015ef1a732c47eb94bc871af75783ee085862ec8bfeec9a65546eec1efc53c057ec4e633d2431cc960b27f2

Download Submit
memory/792-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/792-4-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/792-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2360-15-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download