180dc549006f205e90002cd651436e91a579550b34f2c1550cfae479a36104f8

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 17:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe
Size

415KB
MD5

70a393105521f908c5e0100f46ae7c77
SHA1

fea170c2f10e3339989c5c86f2cefc287a8f868b
SHA256

180dc549006f205e90002cd651436e91a579550b34f2c1550cfae479a36104f8
SHA512

40b6cfdc303e9776b6fb00b5da87fa10017b732485ff39659a30fc246c286efe426a28d5697c1d8938a0e482d3d00ed918312be0ca7bb6291404b11f70781567
SSDEEP

6144:46tiNmI/Ydhk64fcbzM2/n1HNmlgr5orc2PRVGEu6fnyWuP8hF36:VtiNmI/r64fbInmk+A2bu0l9q

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
2688	txtcolor.exe
2828	txtcolor.exe
2812	txtcolor.exe
2576	txtcolor.exe
2720	txtcolor.exe
2596	txtcolor.exe
2556	txtcolor.exe
2584	txtcolor.exe
2460	txtcolor.exe
2968	txtcolor.exe
2976	txtcolor.exe
344	txtcolor.exe
2272	txtcolor.exe
2284	txtcolor.exe
676	txtcolor.exe
2028	txtcolor.exe
2088	txtcolor.exe
1264	txtcolor.exe
1956	txtcolor.exe
1420	txtcolor.exe
1620	txtcolor.exe

Loads dropped DLL 42 IoCs

pid	Process
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe
1564	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1564	3004	70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe	32
PID 3004 wrote to memory of 1564	3004	70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe	32
PID 3004 wrote to memory of 1564	3004	70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe	32
PID 3004 wrote to memory of 1564	3004	70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe	32
PID 1564 wrote to memory of 2756	1564	cmd.exe	33
PID 1564 wrote to memory of 2756	1564	cmd.exe	33
PID 1564 wrote to memory of 2756	1564	cmd.exe	33
PID 1564 wrote to memory of 2756	1564	cmd.exe	33
PID 1564 wrote to memory of 2708	1564	cmd.exe	34
PID 1564 wrote to memory of 2708	1564	cmd.exe	34
PID 1564 wrote to memory of 2708	1564	cmd.exe	34
PID 1564 wrote to memory of 2708	1564	cmd.exe	34
PID 1564 wrote to memory of 2792	1564	cmd.exe	35
PID 1564 wrote to memory of 2792	1564	cmd.exe	35
PID 1564 wrote to memory of 2792	1564	cmd.exe	35
PID 1564 wrote to memory of 2792	1564	cmd.exe	35
PID 1564 wrote to memory of 2688	1564	cmd.exe	36
PID 1564 wrote to memory of 2688	1564	cmd.exe	36
PID 1564 wrote to memory of 2688	1564	cmd.exe	36
PID 1564 wrote to memory of 2688	1564	cmd.exe	36
PID 1564 wrote to memory of 2828	1564	cmd.exe	37
PID 1564 wrote to memory of 2828	1564	cmd.exe	37
PID 1564 wrote to memory of 2828	1564	cmd.exe	37
PID 1564 wrote to memory of 2828	1564	cmd.exe	37
PID 1564 wrote to memory of 2812	1564	cmd.exe	38
PID 1564 wrote to memory of 2812	1564	cmd.exe	38
PID 1564 wrote to memory of 2812	1564	cmd.exe	38
PID 1564 wrote to memory of 2812	1564	cmd.exe	38
PID 1564 wrote to memory of 2576	1564	cmd.exe	39
PID 1564 wrote to memory of 2576	1564	cmd.exe	39
PID 1564 wrote to memory of 2576	1564	cmd.exe	39
PID 1564 wrote to memory of 2576	1564	cmd.exe	39
PID 1564 wrote to memory of 2720	1564	cmd.exe	40
PID 1564 wrote to memory of 2720	1564	cmd.exe	40
PID 1564 wrote to memory of 2720	1564	cmd.exe	40
PID 1564 wrote to memory of 2720	1564	cmd.exe	40
PID 1564 wrote to memory of 2596	1564	cmd.exe	41
PID 1564 wrote to memory of 2596	1564	cmd.exe	41
PID 1564 wrote to memory of 2596	1564	cmd.exe	41
PID 1564 wrote to memory of 2596	1564	cmd.exe	41
PID 1564 wrote to memory of 2556	1564	cmd.exe	42
PID 1564 wrote to memory of 2556	1564	cmd.exe	42
PID 1564 wrote to memory of 2556	1564	cmd.exe	42
PID 1564 wrote to memory of 2556	1564	cmd.exe	42
PID 1564 wrote to memory of 2584	1564	cmd.exe	43
PID 1564 wrote to memory of 2584	1564	cmd.exe	43
PID 1564 wrote to memory of 2584	1564	cmd.exe	43
PID 1564 wrote to memory of 2584	1564	cmd.exe	43
PID 1564 wrote to memory of 2460	1564	cmd.exe	44
PID 1564 wrote to memory of 2460	1564	cmd.exe	44
PID 1564 wrote to memory of 2460	1564	cmd.exe	44
PID 1564 wrote to memory of 2460	1564	cmd.exe	44
PID 1564 wrote to memory of 2968	1564	cmd.exe	45
PID 1564 wrote to memory of 2968	1564	cmd.exe	45
PID 1564 wrote to memory of 2968	1564	cmd.exe	45
PID 1564 wrote to memory of 2968	1564	cmd.exe	45
PID 1564 wrote to memory of 2976	1564	cmd.exe	46
PID 1564 wrote to memory of 2976	1564	cmd.exe	46
PID 1564 wrote to memory of 2976	1564	cmd.exe	46
PID 1564 wrote to memory of 2976	1564	cmd.exe	46
PID 1564 wrote to memory of 344	1564	cmd.exe	47
PID 1564 wrote to memory of 344	1564	cmd.exe	47
PID 1564 wrote to memory of 344	1564	cmd.exe	47
PID 1564 wrote to memory of 344	1564	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\Temp\a00909.bat" "C:\Users\Admin\AppData\Local\Temp\70a393105521f908c5e0100f46ae7c77_JaffaCakes118.exe""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\cscript.exe
    Cscript /Nologo t.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\SysWOW64\expand.exe
    Expand -r txtcolor.ex_
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\mode.com
    MODE CON: COLS=75 LINES=30
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 07 1 " ___ ____ ___ _____ __ ____ ___ ______________"
    3⤵
    - Executes dropped EXE
    PID:2688
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 07 1 " / __ \/ __ \/ __\ ______ / _ \ \/ / / __ \/ _ \/ ___/_ _/ __\
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 07 1 " / /_/ / /_/ /__ / /_____/ / __/ / / /_/ / __/ / / / /__ /"
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 07 1 " \__ / .___/\___/ \___/_/\_\/ .___/\___/_/ /_/ \___/"
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 07 1 " /___/_/ /_/"
    3⤵
    - Executes dropped EXE
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0d 0 " ###########################################################"
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0e 0 " v 7.2"
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0d 1 " #"
    3⤵
    - Executes dropped EXE
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0D 0 " º
    3⤵
    - Executes dropped EXE
    PID:2460
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0C 0 " This program is made for you to test the maps. "
    3⤵
    - Executes dropped EXE
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0D 0 " º
    3⤵
    - Executes dropped EXE
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0C 0 " If you like it, in 24h. you must buy or delete the files,"
    3⤵
    - Executes dropped EXE
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0D 0 " º
    3⤵
    - Executes dropped EXE
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0C 0 " gps-experts.org is not responsible "
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0D 0 " º
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0C 0 " of misuse of this application. "
    3⤵
    - Executes dropped EXE
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0D 0 " º
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0C 0 " It is created for personal use to retrieve and activate"
    3⤵
    - Executes dropped EXE
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0D 0 " º
    3⤵
    - Executes dropped EXE
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0C 0 " your backups. "
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\txtcolor.exe
    txtcolor.exe 0C 0 " Agree ( Y / N ) : "
    3⤵
    - Executes dropped EXE
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\t.vbs

Filesize
3KB

MD5
9298e7d843ff1232794ab188d6008d12

SHA1
d432ce13ad81e525edf4df62c7554e7d81f04a32

SHA256
b9e723d51e8f1aabcd07f11c938c473d3672b03d666e94400b8fe433250fd454

SHA512
117cb07001d5fce27ba4520418aa4b5893d92d83e40a10595e7cc24d47c3925abfa1050f81307225d0a3f149defc376528ba8fcf852e16d87254da7ae37ccc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\txtcolor.ex_

Filesize
954B

MD5
5a785cc9e01c229f54451cf8d0ad6e3e

SHA1
3fd4f8903530e4f69b4e40d029e7f0779c1436ef

SHA256
7bda36c531f98521553733a8516715204dfbb4b928d70e917d6b992f3c9d6477

SHA512
8aeb415b903471958f4bd79925d2c23c502d1210476884937b02433c70643610575607868e314286d5f73a3ee9678f27e141978ad779dd0047ad038e5a145caf

Download Submit
C:\Windows\Temp\a00909.bat

Filesize
168KB

MD5
641a328e0bd200ee1e53402db7a6790c

SHA1
9eae737a013518f71e560c60ca90b0f837a2c8d6

SHA256
dca0799f1efb85275ad10e4e71a1a750cd224835c0b1764b07aaf1c39e6beecd

SHA512
4713525a74d4201ff022ed6dfec33028ded5fdbbe8a26c33498501bc4324ace7eaa8455772bd2c328bc49fd73f59ae0bbd441bbe333218adbef5089fac46437f

Download Submit
\Users\Admin\AppData\Local\Temp\txtcolor.exe

Filesize
1KB

MD5
7a14e1db2c764b92099f95cda391e7de

SHA1
1ce093c6f144044312528fa566f6189b2d5e8dbf

SHA256
b40c72c869665ae6ccc5d375b3ff4c3053d21dc5b6fec66e839a416379b97050

SHA512
d0952e7e487ba6b2dd548fd45c47877a675ed30c6e4b569a13a613dfa89f0dbab133c45304dbf5fb04191c57a69f7641d39f471c4df8a93a1b0bd4814cb2bc94

Download Submit
memory/3004-107-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download