parallax | 56d9586cd29c21f2bec09840b7f601aca64f84ae8be4c5c4b12ece816114d99b

Analysis

max time kernel
148s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
Size

201KB
MD5

3f97ddc310d949c36dd5dddcde70dd30
SHA1

aa8db976339cac03c0a1a41db344e468dda58006
SHA256

56d9586cd29c21f2bec09840b7f601aca64f84ae8be4c5c4b12ece816114d99b
SHA512

3c5a97a7c65a4a3bf81139bf58f3730e8faa2d4d4efcf3ba4ccaeae018ee06b797bb0e6cfc6b4156e1881ee3e79edfb08ea0b3fc57b1c59f540006dfe4fa4455
SSDEEP

6144:Hza2Nj+MLxwkcWTq/81DDiSTz9nqEja3TXU0xtFH:HqEjk7l7FH

Score

10^/10

parallax discovery persistence rat upx

Malware Config

Signatures

Parallax family
parallax
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

Executes dropped EXE 2 IoCs

pid	Process
3248	security.exe
2564	security.exe

Loads dropped DLL 6 IoCs

pid	Process
1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
3248	security.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security\\security.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 3248 set thread context of 2564	3248	security.exe	36
PID 3248 set thread context of 1904	3248	security.exe	37

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1412-360-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1412-368-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1412-366-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1412-355-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1412-353-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1412-789-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2564-791-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe
Token: SeDebugPrivilege	2564	security.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
3248	security.exe
2564	security.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 2152 wrote to memory of 1412	2152	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	31
PID 1412 wrote to memory of 3172	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	32
PID 1412 wrote to memory of 3172	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	32
PID 1412 wrote to memory of 3172	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	32
PID 1412 wrote to memory of 3172	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	32
PID 3172 wrote to memory of 3224	3172	cmd.exe	34
PID 3172 wrote to memory of 3224	3172	cmd.exe	34
PID 3172 wrote to memory of 3224	3172	cmd.exe	34
PID 3172 wrote to memory of 3224	3172	cmd.exe	34
PID 1412 wrote to memory of 3248	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	35
PID 1412 wrote to memory of 3248	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	35
PID 1412 wrote to memory of 3248	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	35
PID 1412 wrote to memory of 3248	1412	JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe	35
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 2564	3248	security.exe	36
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37
PID 3248 wrote to memory of 1904	3248	security.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f97ddc310d949c36dd5dddcde70dd30.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\KPLMX.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3224
- - C:\Users\Admin\AppData\Roaming\Security\security.exe
    "C:\Users\Admin\AppData\Roaming\Security\security.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Roaming\Security\security.exe
      "C:\Users\Admin\AppData\Roaming\Security\security.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2564
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KPLMX.bat

Filesize
147B

MD5
6f473a1ba53e043362047f72e20b34f4

SHA1
e8f121a589e1207ed950453376ee1d21b1223835

SHA256
5fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b

SHA512
b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818

Download Submit
\Users\Admin\AppData\Roaming\Security\security.exe

Filesize
201KB

MD5
f01d60597298334609cb43cd953b514b

SHA1
b57cd0865f23490f98ad417e5bd6a3deab012bfc

SHA256
b9bb2895101393ddd77094a1795763a8856502a6736e67c8888251b720de0115

SHA512
296e513e996a5e1a6339b4ad2d956ea438f0544309005ba303099e0c8e9fe7d4bb620d397c0e31f64b5fe3d61c5563fa3573b014b3afae7f2b5cba09aa34f224

Download Submit
memory/1412-355-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1412-368-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1412-359-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1412-789-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1412-366-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1412-360-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1412-351-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1412-353-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2152-20-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2152-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2152-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2152-357-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/2152-16-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2152-358-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/2564-791-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads