eac446bbf4f95d4780ab8573d3775f98de6a1efe455b39f087eb16655395df50

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
Size

5.7MB
MD5

6fae566b41f9c53f1f4d137ff241aac6
SHA1

85203ff23317aa2df37ebbad2b7e08f9eef311b4
SHA256

eac446bbf4f95d4780ab8573d3775f98de6a1efe455b39f087eb16655395df50
SHA512

3a870f36e8384e72f17fc5504e4a46786fb0b0dcdde019f8764e0dfccf665e59fc319dda7c7d52a943de97bd2d9262a561cf5c33bf16c1cad84ae5c708bb71d3
SSDEEP

98304:/3af73bE2Q1V/37Gn4i0Y4bhuApBTR8pmiuflVmR6hqfBBMytuAsw/j1zd:/3i3bg/3CnL0/d8IQ6h6uccMjBd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\Geo\Nation	saInst.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	saInst.exe

Loads dropped DLL 9 IoCs

pid	Process
1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
2308	saInst.exe
2308	saInst.exe
2308	saInst.exe
2308	saInst.exe
2308	saInst.exe
2308	saInst.exe
2308	saInst.exe
2308	saInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saInst.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2308	saInst.exe
2308	saInst.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2308	1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2308	1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2308	1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2308	1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2308	1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2308	1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe	31
PID 1700 wrote to memory of 2308	1700	6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\saInst.exe
  "C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\saInst.exe" "C:\Users\Admin\AppData\Local\Temp\6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\McPlgUI.dll

Filesize
166KB

MD5
82a1a97820f29ff3cb3eb7eb9ecf86a9

SHA1
80e364bf127a24f170406a1cd7fa86eb597a9081

SHA256
7a45f37ebff001c94c2530e48b2b3c0697d1bac8fe30d89391a0a6cde2c1cec5

SHA512
a74c1aa9e90d0f8d0d6eee1936068868ce60f794a31f58988759eef3ece6f79fd0787deee8c86c8e88663d51202c5e23aba2af4eddfef5307dd128bb5c5e0a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\McSacIns.dll

Filesize
14KB

MD5
6ec43c7aad960d572b30effeef009b7c

SHA1
7c09bf4ee91bf53ee07358fa7a2e2873d6dab86b

SHA256
8ad8e02cf298fcc5210affd91b0cb6bd070180f5f0d78295b953bbf81ea8bc21

SHA512
259f9f7ef35e504775dd788ff0de6762a1372f1940a96c4c99073b5e7423763e7054fe8b76e6d1a393b699a19b47cca8bd03ceeecd5e49f22c6c441dbe6794ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\saRes.dll

Filesize
2.1MB

MD5
f520939afcd7661e6082254a4bba0fae

SHA1
bc173d48262ba4f6038d85e479f65b0a619c0ecb

SHA256
df3319cc0563ba3c17707d95143ea870284af8898390b9880efb43e10546b3f5

SHA512
3c4bd5b76daa4e4ab70aaea389a6301a8e1851379b6b9901d30cc9ac4067fcadd4614331e2d8401124094f4146c4d4d17c5c55c6fe13ec400af59b05ae048874

Download Submit
C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\ytb_inst.exe

Filesize
2.7MB

MD5
30b8223465b5596563d21d7bc84c6bbc

SHA1
03f1dd7bccca087c2d714755ee8ce7a049c03096

SHA256
96caba748cefba92875c3d00d033838cc92480052a4a22f6a451fb252fba18be

SHA512
caff833a581cc2d03af663fc8cc8a4610333c981c8a2eee53c6e4663c0bb5dc6c993714e69ea56569113d4bcc015420448382c44e9b40d8e025f167ab5a14e1b

Download Submit
\Users\Admin\AppData\Local\Temp\SiteAdvisor\saInst.exe

Filesize
122KB

MD5
f20017a9a655ca3604313cd982ffbce3

SHA1
ea40699e63a79ad12aad962bd6d0ad38b3abf664

SHA256
0b4be27c06c0a1a11a49ca9cc7b04b26a9b88dc80cfd9e38ae6cbe2a9398b3ba

SHA512
a1307150f2df5dfa93b7b62f7f25ec6ea7a8dbea8a9fe62a64703a4f05f8e928a9859a7a9cc2d48280e428cb66067175488fdd2eac5cfd5e18d668b08574829d

Download Submit
memory/2308-40-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/2308-43-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download