96783fbf42d0a1b38a41852cdc83118a1a04a0594545da102c5ee81184d24e5f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Size

399KB
MD5

6fc4078c92239ae0b6928d78ae4fc30c
SHA1

e8407057aebe63d974fa249274cbf92affa3b69e
SHA256

96783fbf42d0a1b38a41852cdc83118a1a04a0594545da102c5ee81184d24e5f
SHA512

8e673f4993543ff127ae3411156bb9ef4f228e4a22c39f5c0024b0d820704a315f53c052a9398d4620b7978b280a1f296264053a58f3dbbf64f19fcf463f91f9
SSDEEP

12288:+XcxiW/PnOOH5NQWqMF3cDgl8FYGq6h3m:lnxZNQKcDg2Yy1m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2064	server51.exe
1640	server51.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
2064	server51.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 1640	2064	server51.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server51.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: 33	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: 33	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: 33	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
Token: 33	2064	server51.exe
Token: SeIncBasePriorityPrivilege	2064	server51.exe
Token: 33	2064	server51.exe
Token: SeIncBasePriorityPrivilege	2064	server51.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2064	server51.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2064	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2064	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2064	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe	30
PID 2428 wrote to memory of 2064	2428	6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1640	2064	server51.exe	31
PID 2064 wrote to memory of 1640	2064	server51.exe	31
PID 2064 wrote to memory of 1640	2064	server51.exe	31
PID 2064 wrote to memory of 1640	2064	server51.exe	31
PID 2064 wrote to memory of 1640	2064	server51.exe	31
PID 2064 wrote to memory of 1640	2064	server51.exe	31
PID 2064 wrote to memory of 1640	2064	server51.exe	31
PID 2064 wrote to memory of 1640	2064	server51.exe	31

C:\Users\Admin\AppData\Local\Temp\6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fc4078c92239ae0b6928d78ae4fc30c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1433.01.12T21.40\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server51.exe
  "C:\Users\Admin\AppData\Local\Temp\server51.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1433.01.12T21.40\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server51.exe
    "C:\Users\Admin\AppData\Local\Temp\server51.exe"
    3⤵
    - Executes dropped EXE
    PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\1433.01.12T21.40\Virtual\STUBEXE\@APPDATALOCAL@\Temp\server51.exe

Filesize
17KB

MD5
2b5cf707e94c69fa76ddc6f3613b1482

SHA1
05f5cae23e7074cfbad6145d1d74d14508eab704

SHA256
5ce38492be11bd2851b3553b25614c1b09c248c66c770a3af676bb86c402c2ab

SHA512
82e0714a31876993dfac5900cc01b0132a2ad47a3472069659dc60c0cc3805cb74fd714c91ea353956c56fe8c1a12092f24b2c06596244d7d365d9ca3cdfc844

Download Submit
memory/2428-1-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-0-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-11-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-26-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-28-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-30-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-43-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-58-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-57-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-83-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2428-80-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-62-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-119-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2428-155-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2428-187-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-204-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-6-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-69-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-206-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2428-205-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-190-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2428-170-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-152-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-135-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-116-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-99-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-73-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-71-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-65-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-64-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-60-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-53-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-51-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-48-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-46-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-44-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2428-40-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-35-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-36-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-33-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-24-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-21-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-16-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-17-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-14-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-9-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-7-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-207-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2428-633-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download