a5f714f71e03362231fd18b77d7c020b28df401dec365301fc02d8b52be298ea

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
Size

212KB
MD5

6a2c12fb8d78d11070c25ce8fd12f4c2
SHA1

5257df93306b5cd645a0fef4252031224d4ce1b8
SHA256

a5f714f71e03362231fd18b77d7c020b28df401dec365301fc02d8b52be298ea
SHA512

7853f086d1eb6f68addba7ae95db8e9e0482e8728fa597cd303a3ad0c257b7d6250022a822397054e83f8670198fe473655520ece9bf64cc1a79937784876ddb
SSDEEP

3072:DOPS46Qrxue+0RHBoflNwMmocmWP+UvjH6i/XWH2nJdIBBBOnU2/UuanDzgCjW/i:CPS46wHhYYoBu+o7u2nvsKHcLnXgCH1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.TMP0

Loads dropped DLL 3 IoCs

pid	Process
2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2308	2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe	28

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.TMP0

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0b6d74fe-ad29-4c92-ac06-f06bc2f238a7}	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B124F8F-91F0-11D1-B8B5-006008059382}	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2308	2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2308	2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2308	2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2308	2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2308	2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2308	2224	6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.TMP0
  "C:\Users\Admin\AppData\Local\Temp\6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6a2c12fb8d78d11070c25ce8fd12f4c2_JaffaCakes118.TMP0

Filesize
126KB

MD5
341a5c4faeb65d855602414e668dff9c

SHA1
7a22805bf265c69ba93e5fb46ad1137b45832858

SHA256
03b83f1ab834fed2f19433f56d783bab6329f87475002f1a2b0c7c313481b69e

SHA512
7ccd57c889188b8c86df4312ec10aa89f218d1d7f6afd4801b1b007cab9b6ecd3f99fc5dbe91ec6d95130c58fd3a32f07b0496d32e10917cfb2aeba5c8bb5995

Download Submit
\Users\Admin\AppData\Local\Temp\ArmC699.tmp

Filesize
64KB

MD5
e99a5f2bf65521137b0276146c2b493a

SHA1
8668f6adc2613bcd8b1403779a707466d4cc6174

SHA256
c000978738a9c544fd3d2689bc8017dd42fdbf9428ae9183c8742baf34dd96c4

SHA512
ddbbc88546f522f3d99f296ac4fb1fdd72e7f6604081ab17f0f16e065f69db01dd2f7b7d249904737d386db6006123dde2965234e36a497cd48394d13b4e758f

Download Submit
memory/2224-11-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2224-10-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2308-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2308-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download