018d97cef4258673476c27b086ed7af05f5c33ec7c916626d29e37713fcc7438

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
Size

41KB
MD5

72f91bbe27075fb1bd3d8db3bc425190
SHA1

789e2841058a91de3f051738f0064f1114f3d069
SHA256

018d97cef4258673476c27b086ed7af05f5c33ec7c916626d29e37713fcc7438
SHA512

2dd49d35fc57f96b2b8cd808215ecb73e8cc45fd5b70aef76476910c866dd501ad2083ad3017ad012ba4d0205d85bdb0db769a43e71881b65d4b14313475e7ff
SSDEEP

768:7sfB5JNtfsCqEiiQSy1a0Ys4bJQ9cJ4CkAyueBsiD9ubfHreQHHQtAUEXru1+srg:G5JTfsY0w9s2VzFHretAmR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2644	csrs.exe
2012	csrs.exe
2592	csrs.exe
948	csrs.exe
2264	csrs.exe
3008	csrs.exe
2964	csrs.exe
1752	csrs.exe
2412	csrs.exe
1304	csrs.exe

Loads dropped DLL 20 IoCs

pid	Process
3032	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
3032	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
2644	csrs.exe
2644	csrs.exe
2012	csrs.exe
2012	csrs.exe
2592	csrs.exe
2592	csrs.exe
948	csrs.exe
948	csrs.exe
2264	csrs.exe
2264	csrs.exe
3008	csrs.exe
3008	csrs.exe
2964	csrs.exe
2964	csrs.exe
1752	csrs.exe
1752	csrs.exe
2412	csrs.exe
2412	csrs.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2644	3032	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2644	3032	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2644	3032	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2644	3032	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2012	2644	csrs.exe	31
PID 2644 wrote to memory of 2012	2644	csrs.exe	31
PID 2644 wrote to memory of 2012	2644	csrs.exe	31
PID 2644 wrote to memory of 2012	2644	csrs.exe	31
PID 2012 wrote to memory of 2592	2012	csrs.exe	32
PID 2012 wrote to memory of 2592	2012	csrs.exe	32
PID 2012 wrote to memory of 2592	2012	csrs.exe	32
PID 2012 wrote to memory of 2592	2012	csrs.exe	32
PID 2592 wrote to memory of 948	2592	csrs.exe	33
PID 2592 wrote to memory of 948	2592	csrs.exe	33
PID 2592 wrote to memory of 948	2592	csrs.exe	33
PID 2592 wrote to memory of 948	2592	csrs.exe	33
PID 948 wrote to memory of 2264	948	csrs.exe	34
PID 948 wrote to memory of 2264	948	csrs.exe	34
PID 948 wrote to memory of 2264	948	csrs.exe	34
PID 948 wrote to memory of 2264	948	csrs.exe	34
PID 2264 wrote to memory of 3008	2264	csrs.exe	35
PID 2264 wrote to memory of 3008	2264	csrs.exe	35
PID 2264 wrote to memory of 3008	2264	csrs.exe	35
PID 2264 wrote to memory of 3008	2264	csrs.exe	35
PID 3008 wrote to memory of 2964	3008	csrs.exe	36
PID 3008 wrote to memory of 2964	3008	csrs.exe	36
PID 3008 wrote to memory of 2964	3008	csrs.exe	36
PID 3008 wrote to memory of 2964	3008	csrs.exe	36
PID 2964 wrote to memory of 1752	2964	csrs.exe	37
PID 2964 wrote to memory of 1752	2964	csrs.exe	37
PID 2964 wrote to memory of 1752	2964	csrs.exe	37
PID 2964 wrote to memory of 1752	2964	csrs.exe	37
PID 1752 wrote to memory of 2412	1752	csrs.exe	38
PID 1752 wrote to memory of 2412	1752	csrs.exe	38
PID 1752 wrote to memory of 2412	1752	csrs.exe	38
PID 1752 wrote to memory of 2412	1752	csrs.exe	38
PID 2412 wrote to memory of 1304	2412	csrs.exe	39
PID 2412 wrote to memory of 1304	2412	csrs.exe	39
PID 2412 wrote to memory of 1304	2412	csrs.exe	39
PID 2412 wrote to memory of 1304	2412	csrs.exe	39

C:\Users\Admin\AppData\Local\Temp\72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\csrs.exe
  C:\Windows\system32\csrs.exe 448 "C:\Users\Admin\AppData\Local\Temp\72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\csrs.exe
    C:\Windows\system32\csrs.exe 500 "C:\Windows\SysWOW64\csrs.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\csrs.exe
      C:\Windows\system32\csrs.exe 512 "C:\Windows\SysWOW64\csrs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 508 "C:\Windows\SysWOW64\csrs.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 504 "C:\Windows\SysWOW64\csrs.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 516 "C:\Windows\SysWOW64\csrs.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 520 "C:\Windows\SysWOW64\csrs.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 524 "C:\Windows\SysWOW64\csrs.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 528 "C:\Windows\SysWOW64\csrs.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 532 "C:\Windows\SysWOW64\csrs.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\csrs.exe

Filesize
41KB

MD5
72f91bbe27075fb1bd3d8db3bc425190

SHA1
789e2841058a91de3f051738f0064f1114f3d069

SHA256
018d97cef4258673476c27b086ed7af05f5c33ec7c916626d29e37713fcc7438

SHA512
2dd49d35fc57f96b2b8cd808215ecb73e8cc45fd5b70aef76476910c866dd501ad2083ad3017ad012ba4d0205d85bdb0db769a43e71881b65d4b14313475e7ff

Download Submit
memory/948-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1304-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-47-0x00000000024F0000-0x000000000252C000-memory.dmp

Filesize
240KB

Download
memory/2264-48-0x00000000024F0000-0x000000000252C000-memory.dmp

Filesize
240KB

Download
memory/2412-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-30-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2644-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2644-21-0x00000000023E0000-0x000000000241C000-memory.dmp

Filesize
240KB

Download
memory/2644-15-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2644-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-61-0x0000000002510000-0x000000000254C000-memory.dmp

Filesize
240KB

Download
memory/2964-60-0x0000000002510000-0x000000000254C000-memory.dmp

Filesize
240KB

Download
memory/2964-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-51-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-55-0x0000000001D80000-0x0000000001DBC000-memory.dmp

Filesize
240KB

Download
memory/3008-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3032-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3032-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3032-12-0x00000000024F0000-0x000000000252C000-memory.dmp

Filesize
240KB

Download
memory/3032-13-0x00000000024F0000-0x000000000252C000-memory.dmp

Filesize
240KB

Download
memory/3032-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download