17c0b21baef7a9c18a9f43b507194cbb2cd3cc0379ca8b5ee5f9c65758435924

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe
Size

472KB
MD5

87c7a661c1ac80aec7e626c255736e2c
SHA1

7b8dff98a5583dfd43cfabfc7204f051b6eccaff
SHA256

17c0b21baef7a9c18a9f43b507194cbb2cd3cc0379ca8b5ee5f9c65758435924
SHA512

c360c8f730edc161cd1c68dff232785439d4b14f005586b0f84726a4a78a9da05d250e74827d47b81d147d09076d908c56b0f9ecfc0b890a6a8f2c66ce1ded04
SSDEEP

6144:iEYZe3O5JGmrpQsK3RD2u270jupCJsCxCL+YjUyf0YzRspfFHgjtx+NJmAcAGVfn:ke3XZ2zkPaCx1YQyMhHHLNAFAGmG

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\windows.exe"	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\windows.exe"	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "C:\\Program Files (x86)\\windows.exe Restart"	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-10-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\windows.exe	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe
File created	C:\Program Files (x86)\windows.exe	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21
PID 2064 wrote to memory of 1188	2064	JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87c7a661c1ac80aec7e626c255736e2c.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-11-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x00000000002F0000-0x000000000033E000-memory.dmp

Filesize
312KB

Download
memory/2064-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2064-2-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2064-6-0x0000000074CB1000-0x0000000074CB2000-memory.dmp

Filesize
4KB

Download
memory/2064-5-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/2064-4-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2064-3-0x0000000001F70000-0x0000000001F80000-memory.dmp

Filesize
64KB

Download
memory/2064-7-0x0000000074CA0000-0x0000000074DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2064-10-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2064-246-0x0000000074CA0000-0x0000000074DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2064-245-0x00000000002F0000-0x000000000033E000-memory.dmp

Filesize
312KB

Download