33d747c0d7ad69727f5358df0fef7b50491442c73806755428cf5d105cfc5133

Analysis

max time kernel
124s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
Size

24KB
MD5

7794d237b1d5a27fb84ef5e15e43eb0f
SHA1

9009a7bb44d13d799b8db4abc232bac17506b32e
SHA256

33d747c0d7ad69727f5358df0fef7b50491442c73806755428cf5d105cfc5133
SHA512

b68ca025ef6e79f6bcab02fe99182f993269e8202d147a28e385fee451b5bf728a6cb7fa7fe9a7485b5031a03d1875100cb1f847992e137aac61e66fed3bac19
SSDEEP

384:iXdGP+MQ9aBfDnnZI1k/9lM0R5qWn3U38wkuFSPTAPJTW5Z:aGP+3aBLnsk/XM0RQW3U38wNSb4JTE

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\bvmbnc\Parameters\ServiceDll = "%SystemRoot%\\System32\\bvmbnc.dll"	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2384	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1524	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
2384	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bvmbnc.dll	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2548	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
2548	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
1524	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
1524	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1524	2548	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1524	2548	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1524	2548	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1524	2548	7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7794d237b1d5a27fb84ef5e15e43eb0f_JaffaCakes118.exe" TWO
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k bvmbnc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\bvmbnc.dll

Filesize
17KB

MD5
30cea981379523446b0bfd8cab4b425d

SHA1
dc8ec65a05922fe8505c8a9db37cf9f760804aed

SHA256
251349d010fa7d445a7b8b01459ed3a51a71d74a55f4dc966efbcbac1fa1c009

SHA512
b49db31bf646ba630293b5fb8ef26beacbf480488e09256181d6b2a76ff19b8371b24bd3fd1928447ea65b1dcde1c9c5a44be77867de5def6be7f3aeaad56516

Download Submit