d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/07/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe
Size

261KB
MD5

40bacc2a14f96df432eaf6427353a84d
SHA1

725676d96a957828af4f8b8d77ea31a5ddb8082b
SHA256

d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560
SHA512

acca8e6e9c971e4195c0f43e97ff5d37fdd04ede934b904ca3489898f23d869bf1cd56c24917d080b003d13ce2ed319b54789e7ccc90121e24abafcb227bce04
SSDEEP

3072:8Z/S0A2TcuWTnTn43rXCxOoeiJFu/xCGHZMUBjlW7U2xQ8zEOC11jry:uTtm2W4oX0CG+EIvi8zA11H

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	yxve.exe
2692	yxve.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe
2720	yxve.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2720 set thread context of 2692	2720	yxve.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2708	2400	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2720	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2720	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2720	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2720	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2720 wrote to memory of 2692	2720	yxve.exe	32
PID 2708 wrote to memory of 2608	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	33
PID 2708 wrote to memory of 2608	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	33
PID 2708 wrote to memory of 2608	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	33
PID 2708 wrote to memory of 2608	2708	40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\40bacc2a14f96df432eaf6427353a84d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\Yvweit\yxve.exe
    "C:\Users\Admin\AppData\Local\Temp\Yvweit\yxve.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\Yvweit\yxve.exe
      "C:\Users\Admin\AppData\Local\Temp\Yvweit\yxve.exe"
      4⤵
      Executes dropped EXE
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLO7AD5.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QLO7AD5.bat

Filesize
244B

MD5
1106acb82929718e88050a571c592364

SHA1
512c78a1127732a9f931680a744a2af0da7ca830

SHA256
4e9af5bdeae3d148b8d8de39a8bdd47e7a8720719c182aee76d78b4d6ed9e6c3

SHA512
9d555fedfce017fca8894baa0e7c77c316c7b9d1d9c6321f8b770d2ab27f8fa88514d6605f4886d6fb64c6005c7abaf4cf6c7fc5a485cfce9275014c0f979dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvweit\yxve.exe

Filesize
261KB

MD5
51f64864a1995f09ff5caccc219025ff

SHA1
af48934b2909e082a8560a5383a94febf7121c94

SHA256
c1b10830806ecfa2c1d032664dcefcb15345c757acfa91d0334c628b8dc0d900

SHA512
61f8ece415142acf41ddbc95dc3f158b8706f870f98f39b8b8ee3d38fdef981592682235f4bba7ce82eb46bb38da8f7ddc70b46db51405eb6d2f616a7f337341

Download Submit
memory/2400-19-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-0-0x00000000742C1000-0x00000000742C2000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-2-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-16-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-30-0x00000000742C1000-0x00000000742C2000-memory.dmp

Filesize
4KB

Download
memory/2720-45-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download