16df2c97a360e199f3fc56c60196ddc74ab5e638b83378f4137e2cd87e37530b

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe
Size

389KB
MD5

719ae9c704f6f32f2dc75e78a0561056
SHA1

741653be095334d5d30f0573166715da9604a62e
SHA256

16df2c97a360e199f3fc56c60196ddc74ab5e638b83378f4137e2cd87e37530b
SHA512

59abadfffe7f6fc9b9fec84c638fa57c3b7b5f7f6e7525cf2b97914a78fe699a9a71e8a4124929eb594a0fd1014073322dd6ef575e632e3838e65d1b63a6dba5
SSDEEP

6144:CTjNddmi0JzmImfPVhHk0813ejg57nrV7IubXoXjTNlmiiswQYtd+YhyPNHCl/:2Ndd3+zmn1U1u+rVUmoX0swrtd7G5o

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SYSTEM = "C:\\WINDOWS\\system\\explore.exe"	regedit.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\system\explore.exe	719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system\explore.exe	719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2852	regedit.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2800	2720	719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2800	2720	719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2800	2720	719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2800	2720	719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe	30
PID 2800 wrote to memory of 2852	2800	cmd.exe	32
PID 2800 wrote to memory of 2852	2800	cmd.exe	32
PID 2800 wrote to memory of 2852	2800	cmd.exe	32
PID 2800 wrote to memory of 2852	2800	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\719ae9c704f6f32f2dc75e78a0561056_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\explore.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s svchost.reg
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.reg

Filesize
132B

MD5
05ca0b49ce6eb0d27bdbbe9b947861bd

SHA1
9e56210702a0d6a78b07d82e155b4fea61688798

SHA256
7b411b130d8cb5441f033eb73db9976ff406cce95cb615d7772788c04a0c1876

SHA512
4301db74d4a2289a72045e745d014e8269b5a408deff1019da30742d3a68262ce55e354153ce192b01707398715578092f3215721ae1c62b6b043b5772485d77

Download Submit
C:\explore.bat

Filesize
720B

MD5
7133aaab6f38a7a7798a7c682e567d24

SHA1
6b067c68b0b3b265f7dcd3be78c7a487e2c00b74

SHA256
d507a7108133e9cc2c5ad94bbafab4b55bc19bb9544a780c5d73adbb240c8cc2

SHA512
7af38dc13985353512335b4104da4173998ce92f90b9fed6ef243024a9a89c52c6140e1469987d66dc255674e2fcde98d19c3c2c04db8bebf805d3e55f3b2228

Download Submit
memory/2720-0-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2720-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2720-20-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads