4d5ca0f2558c7c631568f2c7fe2052f30fde403ec9b7bf451539e4daab6550d7

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe
Size

66KB
MD5

7354c6e7d79cb53cd10e7f885e315fe8
SHA1

37182b4ddd7d66dd129f04ad89ac0674976996da
SHA256

4d5ca0f2558c7c631568f2c7fe2052f30fde403ec9b7bf451539e4daab6550d7
SHA512

65efe18a30a66a66a28fa5800ebf1eb4196aa5aa641104d528ea9e9dfd6b96432740187f8d101e28f177c165e89f0e03d2f23cbdbf9563a33ae9c202aaf407d1
SSDEEP

1536:XbN7eY65FJGXNWdQ8jbcIOGa1OO7aomtv168u/40DJ63yOpF6jT:rNzyF2NWdQwO11OO7aomtk6hz6jT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2680	svcchosst.exe
2580	svcchosst.exe
2672	svcchosst.exe
2648	svcchosst.exe
1956	svcchosst.exe
2900	svcchosst.exe
2476	svcchosst.exe
1768	svcchosst.exe
2236	svcchosst.exe
2508	svcchosst.exe

Loads dropped DLL 20 IoCs

pid	Process
1900	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe
1900	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe
2680	svcchosst.exe
2680	svcchosst.exe
2580	svcchosst.exe
2580	svcchosst.exe
2672	svcchosst.exe
2672	svcchosst.exe
2648	svcchosst.exe
2648	svcchosst.exe
1956	svcchosst.exe
1956	svcchosst.exe
2900	svcchosst.exe
2900	svcchosst.exe
2476	svcchosst.exe
2476	svcchosst.exe
1768	svcchosst.exe
1768	svcchosst.exe
2236	svcchosst.exe
2236	svcchosst.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File created	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe
File opened for modification	C:\Windows\SysWOW64\svcchosst.exe	svcchosst.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcchosst.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2680	1900	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2680	1900	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2680	1900	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2680	1900	7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2580	2680	svcchosst.exe	31
PID 2680 wrote to memory of 2580	2680	svcchosst.exe	31
PID 2680 wrote to memory of 2580	2680	svcchosst.exe	31
PID 2680 wrote to memory of 2580	2680	svcchosst.exe	31
PID 2580 wrote to memory of 2672	2580	svcchosst.exe	32
PID 2580 wrote to memory of 2672	2580	svcchosst.exe	32
PID 2580 wrote to memory of 2672	2580	svcchosst.exe	32
PID 2580 wrote to memory of 2672	2580	svcchosst.exe	32
PID 2672 wrote to memory of 2648	2672	svcchosst.exe	33
PID 2672 wrote to memory of 2648	2672	svcchosst.exe	33
PID 2672 wrote to memory of 2648	2672	svcchosst.exe	33
PID 2672 wrote to memory of 2648	2672	svcchosst.exe	33
PID 2648 wrote to memory of 1956	2648	svcchosst.exe	34
PID 2648 wrote to memory of 1956	2648	svcchosst.exe	34
PID 2648 wrote to memory of 1956	2648	svcchosst.exe	34
PID 2648 wrote to memory of 1956	2648	svcchosst.exe	34
PID 1956 wrote to memory of 2900	1956	svcchosst.exe	35
PID 1956 wrote to memory of 2900	1956	svcchosst.exe	35
PID 1956 wrote to memory of 2900	1956	svcchosst.exe	35
PID 1956 wrote to memory of 2900	1956	svcchosst.exe	35
PID 2900 wrote to memory of 2476	2900	svcchosst.exe	36
PID 2900 wrote to memory of 2476	2900	svcchosst.exe	36
PID 2900 wrote to memory of 2476	2900	svcchosst.exe	36
PID 2900 wrote to memory of 2476	2900	svcchosst.exe	36
PID 2476 wrote to memory of 1768	2476	svcchosst.exe	37
PID 2476 wrote to memory of 1768	2476	svcchosst.exe	37
PID 2476 wrote to memory of 1768	2476	svcchosst.exe	37
PID 2476 wrote to memory of 1768	2476	svcchosst.exe	37
PID 1768 wrote to memory of 2236	1768	svcchosst.exe	38
PID 1768 wrote to memory of 2236	1768	svcchosst.exe	38
PID 1768 wrote to memory of 2236	1768	svcchosst.exe	38
PID 1768 wrote to memory of 2236	1768	svcchosst.exe	38
PID 2236 wrote to memory of 2508	2236	svcchosst.exe	39
PID 2236 wrote to memory of 2508	2236	svcchosst.exe	39
PID 2236 wrote to memory of 2508	2236	svcchosst.exe	39
PID 2236 wrote to memory of 2508	2236	svcchosst.exe	39

C:\Users\Admin\AppData\Local\Temp\7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\svcchosst.exe
  C:\Windows\system32\svcchosst.exe 492 "C:\Users\Admin\AppData\Local\Temp\7354c6e7d79cb53cd10e7f885e315fe8_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\svcchosst.exe
    C:\Windows\system32\svcchosst.exe 516 "C:\Windows\SysWOW64\svcchosst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\svcchosst.exe
      C:\Windows\system32\svcchosst.exe 512 "C:\Windows\SysWOW64\svcchosst.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\svcchosst.exe
        
        C:\Windows\system32\svcchosst.exe 520 "C:\Windows\SysWOW64\svcchosst.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\SysWOW64\svcchosst.exe
        
        C:\Windows\system32\svcchosst.exe 524 "C:\Windows\SysWOW64\svcchosst.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\svcchosst.exe
        
        C:\Windows\system32\svcchosst.exe 528 "C:\Windows\SysWOW64\svcchosst.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\svcchosst.exe
        
        C:\Windows\system32\svcchosst.exe 508 "C:\Windows\SysWOW64\svcchosst.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\svcchosst.exe
        
        C:\Windows\system32\svcchosst.exe 540 "C:\Windows\SysWOW64\svcchosst.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\svcchosst.exe
        
        C:\Windows\system32\svcchosst.exe 532 "C:\Windows\SysWOW64\svcchosst.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\svcchosst.exe
        
        C:\Windows\system32\svcchosst.exe 544 "C:\Windows\SysWOW64\svcchosst.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svcchosst.exe

Filesize
66KB

MD5
7354c6e7d79cb53cd10e7f885e315fe8

SHA1
37182b4ddd7d66dd129f04ad89ac0674976996da

SHA256
4d5ca0f2558c7c631568f2c7fe2052f30fde403ec9b7bf451539e4daab6550d7

SHA512
65efe18a30a66a66a28fa5800ebf1eb4196aa5aa641104d528ea9e9dfd6b96432740187f8d101e28f177c165e89f0e03d2f23cbdbf9563a33ae9c202aaf407d1

Download Submit
memory/1768-59-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1768-57-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1900-13-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1900-7-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1900-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1900-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1900-16-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1956-41-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2236-65-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2236-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2476-51-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2476-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2508-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2508-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2580-21-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2580-27-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2580-23-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2648-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2648-34-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2672-28-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2672-30-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2680-17-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2680-14-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2900-45-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2900-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download