4fba0fc853adba3582d93668c1b2c3ad866a6f3e71a8b21959ab3ea0a6b25754

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
11/02/2025, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe
Size

316KB
MD5

eb31879ac63a3dc0144f9dc39249604c
SHA1

55a18ae6ecfe0712c28358cd1e0da4f73f5e4b70
SHA256

4fba0fc853adba3582d93668c1b2c3ad866a6f3e71a8b21959ab3ea0a6b25754
SHA512

586976b740370348dc6fc7543a300505d672e14e3b01ec84f91cfe9aab377841e4ae50350c88e07ab27a3bd0fa355c5ecdd5df7bf7e1e79508594c52c7e34c5a
SSDEEP

6144:8/0uozFBzSG3w8biEJxIB/YrEamFTJZhLPdVEveT4Kpa7:8JoFBzxw0ijSEldZxdWve0ea7

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	Setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe
2836	Setup.exe
2836	Setup.exe
2836	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-6-0x0000000000230000-0x00000000002BC000-memory.dmp	upx
behavioral1/files/0x0009000000014723-4.dat	upx
behavioral1/memory/2836-22-0x0000000000400000-0x000000000048C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2836	2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe	30
PID 2760 wrote to memory of 2836	2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe	30
PID 2760 wrote to memory of 2836	2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe	30
PID 2760 wrote to memory of 2836	2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe	30
PID 2760 wrote to memory of 2836	2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe	30
PID 2760 wrote to memory of 2836	2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe	30
PID 2760 wrote to memory of 2836	2760	JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe

Filesize
202KB

MD5
b0d4a591a1785cad61bf56609a19e9bf

SHA1
8e5c4cf58e95790d6cdbcb38897d322bae526f6a

SHA256
1a91c046acdb95f398b32096f6fbbe11321d4e4c438ca239d1dcc142b2b92c58

SHA512
ca1812dde3d3b8186ab097436e75805dfd5233d2a1792656db6f85237c27a45535647a247d924763ac98eff87fa6e5bdc7d57e27b81a8ce6978f1d103b31b14a

Download Submit
memory/2760-6-0x0000000000230000-0x00000000002BC000-memory.dmp

Filesize
560KB

Download
memory/2836-11-0x00000000008F0000-0x000000000097C000-memory.dmp

Filesize
560KB

Download
memory/2836-22-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads