8e06338c55d5fa82c0b232df84c073ee763d3b3aea0855dec3c30a59ef86d3b3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
Size

46KB
MD5

76184a00ebb178cd91a91ffa5a6f16c2
SHA1

635aa23c65d4f5bd01dfdee2c7ca5d3fc75b2a14
SHA256

8e06338c55d5fa82c0b232df84c073ee763d3b3aea0855dec3c30a59ef86d3b3
SHA512

ba2a7aa7637d21d4ed7cf7002c7d62a0c25d506c36f87eb78d8b1c3d164c2252414800c9669806887f94682cec65903e2fbc350dbd8b7e464a232648fa302722
SSDEEP

768:750cdyWxE05BeZmblz7Ngi9CioEgjYGtYBVZXcVymYaNdcpsWXV:FCWxvfKO7iQCqGqBVZXc1VNOvV

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\7AD34389\ImagePath = "C:\\Windows\\system32\\7AD34389.EXE -7AD34389"	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2468	7AD34389.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\7AD34389.DLL	7AD34389.EXE
File created	C:\Windows\SysWOW64\delme.bat	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\7AD34389.EXE	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\7AD34389.EXE	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\7AD34389.EXE	7AD34389.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7AD34389.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3940	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
3940	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
2468	7AD34389.EXE
2468	7AD34389.EXE
2468	7AD34389.EXE
2468	7AD34389.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2312	3940	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe	85
PID 3940 wrote to memory of 2312	3940	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe	85
PID 3940 wrote to memory of 2312	3940	76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76184a00ebb178cd91a91ffa5a6f16c2_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312

C:\Windows\SysWOW64\7AD34389.EXE
C:\Windows\SysWOW64\7AD34389.EXE -7AD34389
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\7AD34389.EXE

Filesize
46KB

MD5
76184a00ebb178cd91a91ffa5a6f16c2

SHA1
635aa23c65d4f5bd01dfdee2c7ca5d3fc75b2a14

SHA256
8e06338c55d5fa82c0b232df84c073ee763d3b3aea0855dec3c30a59ef86d3b3

SHA512
ba2a7aa7637d21d4ed7cf7002c7d62a0c25d506c36f87eb78d8b1c3d164c2252414800c9669806887f94682cec65903e2fbc350dbd8b7e464a232648fa302722

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
c034f1e8d19f2a17ff7d3dc9ce5db6a7

SHA1
9da07eb9773d4193d13c6dbfdef31bfaecc2b461

SHA256
81f349c63af0d4b2128923b523696d5f87546e7c7436faf8b150cae305d4b441

SHA512
5c356a251230a883c0ab5f40c358deb4c1620210a59a4eb2377178d6c03c756334d894dea74cf599ebdbdd25e2e394101e3172cf3863b02ae8cef71332d645b9

Download Submit
memory/2468-5-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2468-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3940-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3940-1-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3940-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download