3256fb1782315e48eab2144965d01f6773c86689bc8fc6327da958dbdf99dd3b

Analysis

max time kernel
142s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
Size

629KB
MD5

724dea6b568c13225629fa3c10faf775
SHA1

4cce7a79300c052a27b10bbd98d6f423209fad70
SHA256

3256fb1782315e48eab2144965d01f6773c86689bc8fc6327da958dbdf99dd3b
SHA512

7f7f32b9646b43b95a8137e3436750a9283fe14c26ae3530cb03c79804326e56d871052085408e68d2a5124899aeae94edbcb7faf2648ac7da4c23d01f0ebf40
SSDEEP

12288:VHWYg1ieQ7NfOKn2NkBjm1q0BbTgoWTHQo30veJTv3PdE5x39:VHtf7/nsamY0BgoNRGJT4x3

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2216	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2624	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system\UAPTJW.DAT	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
File created	C:\Windows\system\DKSHMY.DAT	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
File created	C:\Windows\system\svchost.exe	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
File opened for modification	C:\Windows\system\svchost.exe	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
File created	C:\Windows\UNINSTAL.BAT	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2624	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2340	2624	svchost.exe	30
PID 2624 wrote to memory of 2340	2624	svchost.exe	30
PID 2624 wrote to memory of 2340	2624	svchost.exe	30
PID 2624 wrote to memory of 2340	2624	svchost.exe	30
PID 2468 wrote to memory of 2216	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\724dea6b568c13225629fa3c10faf775_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2216

C:\Windows\system\svchost.exe
C:\Windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UNINSTAL.BAT

Filesize
214B

MD5
6ee1a9a7f620dc1786a5bf03717a4a3c

SHA1
8381f51d436e16d22f8451ba48639d077f10ab40

SHA256
815ab01400dea57b1f3f31af9ea3facb537f930a8b4195805c18bf91b1092a3e

SHA512
a675d3f28e7f0484d6072831d510fa23c484a69608659a5018047d531fdd6f7caa3341a75b7d8adc3b813068eaec10218590f7b78189281e50ac70624a72798b

Download Submit
C:\Windows\system\svchost.exe

Filesize
629KB

MD5
724dea6b568c13225629fa3c10faf775

SHA1
4cce7a79300c052a27b10bbd98d6f423209fad70

SHA256
3256fb1782315e48eab2144965d01f6773c86689bc8fc6327da958dbdf99dd3b

SHA512
7f7f32b9646b43b95a8137e3436750a9283fe14c26ae3530cb03c79804326e56d871052085408e68d2a5124899aeae94edbcb7faf2648ac7da4c23d01f0ebf40

Download Submit
\Windows\system\DKSHMY.DAT

Filesize
17KB

MD5
c533c13c98ce70ccffeaefc05ad4825f

SHA1
f44d6ac53a667ebc5b34b345b718601ab38ba1eb

SHA256
f17157911556b62dbb709273fca3b1075cb0deef7d53c40dad2b17318aef85e1

SHA512
fa073f87f5faedf3b86745197a2de5622504925a31b6f6c7060141f69feca6c8fbd23bad9240edd8ae539970e294aef4a42f4ef62c021396a4506e99b9a2e687

Download Submit
memory/2468-0-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2468-8-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2468-7-0x0000000002810000-0x0000000002813000-memory.dmp

Filesize
12KB

Download
memory/2468-6-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2468-5-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2468-4-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2468-13-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2468-3-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2468-14-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2468-2-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000000370000-0x00000000003BB000-memory.dmp

Filesize
300KB

Download
memory/2468-16-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2468-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2468-71-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2468-70-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2468-69-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2468-68-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2468-67-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2468-66-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2468-65-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2468-64-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/2468-63-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/2468-62-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2468-61-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2468-60-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/2468-59-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2468-58-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2468-57-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2468-56-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/2468-55-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/2468-54-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2468-53-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/2468-52-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/2468-51-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2468-50-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2468-49-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2468-48-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2468-47-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2468-46-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2468-45-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2468-44-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2468-43-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2468-42-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2468-41-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2468-40-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2468-39-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2468-38-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2468-37-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2468-36-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2468-35-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2468-34-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2468-33-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2468-32-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2468-31-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2468-30-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2468-29-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2468-28-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2468-27-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2468-26-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2468-25-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2468-24-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2468-23-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/2468-22-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2468-21-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2468-20-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2468-19-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2468-18-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2468-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2468-82-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2468-83-0x0000000000370000-0x00000000003BB000-memory.dmp

Filesize
300KB

Download
memory/2624-73-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2624-87-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2624-88-0x00000000035C0000-0x00000000035CB000-memory.dmp

Filesize
44KB

Download