Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe
-
Size
13KB
-
MD5
4fba3011e04fd17086d5ff5c2343c117
-
SHA1
4c171f0d589d1fff41de4fcfad52351d95b1d752
-
SHA256
8d3dca33585cf75f58c79577b6aa3876873b0f16988a12dcb2581dfd92a12b74
-
SHA512
7e52f58fa04be7942fa80777a0f7cccc12ccde3d99a94ad1bd1516666b7c4386461a11b0949acba1f646186073eabf93d20b0dae1db8a65e57e052c53f09a169
-
SSDEEP
384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKUAylUmtybPyly9lyQ:v+dAURFxna4QAPQlYghxKUAyl9tybPyO
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2356 szgfw.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe 1724 4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2356 1724 4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe 30 PID 1724 wrote to memory of 2356 1724 4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe 30 PID 1724 wrote to memory of 2356 1724 4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe 30 PID 1724 wrote to memory of 2356 1724 4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4fba3011e04fd17086d5ff5c2343c117_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5b0d13421ca279f466f4dce640554239d
SHA11d5abbfe407a4b72f1c9e64a92daf7b76e4dda7c
SHA25655141b7180b6969b5fde16a678540dfc7ad81c23d6a1dfbb9492c84a3ca7f264
SHA512b5408999fccf8a03dd41174a151501f33a4fe19b381ceb9caf7e1ee5a45ca7936acd5ed92438d9d43e42ee469f9f54e9e644d489d97d98cf57ed6d7f3bca9dcb