6d9be68cff944a0ade1ff8a4158824f5295406f5f30b42d06f1df2cd5d41fd97

Analysis

max time kernel
149s
max time network
78s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe
Size

34KB
MD5

81bfe3c546c8e1ee81c0301da7ba06d1
SHA1

910e9368421739fe38a4f6fbfd9eebd907162f55
SHA256

6d9be68cff944a0ade1ff8a4158824f5295406f5f30b42d06f1df2cd5d41fd97
SHA512

2e1f67179e6601c6bc4ef0a1a7c708db311c03ea37ddd1dc0b8498b0b825f41df7b4eb38e1c497041d6dd04dd3a15fd9c62c14ab09c496cca9580aac3f280156
SSDEEP

768:cflivXrVKpVhKvtxwYHwVFoeAQKmucwUI:ylqrVKprVuQKj

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1476	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe
1476	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\79e1683c\jusched.exe	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe
File created	C:\Program Files (x86)\79e1683c\79e1683c	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe
2008	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2008	1476	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe	29
PID 1476 wrote to memory of 2008	1476	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe	29
PID 1476 wrote to memory of 2008	1476	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe	29
PID 1476 wrote to memory of 2008	1476	81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81bfe3c546c8e1ee81c0301da7ba06d1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files (x86)\79e1683c\jusched.exe
  "C:\Program Files (x86)\79e1683c\jusched.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\79e1683c\79e1683c

Filesize
13B

MD5
f253efe302d32ab264a76e0ce65be769

SHA1
768685ca582abd0af2fbb57ca37752aa98c9372b

SHA256
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

SHA512
1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

Download Submit
\Program Files (x86)\79e1683c\jusched.exe

Filesize
34KB

MD5
e71326df33df7f14b2068bc603ce06de

SHA1
865562519303715fb61d3d8d38b077ebbcd8f1ee

SHA256
5b37562ae857b7f504c7a65599925c9d243d55fba39488d232f25f6e579d588c

SHA512
1a9d285756cdce71405c984c982b9704646e86c45679724ff22ea6d21862638b4060c5b327279463c2192e5ed90b02b158df2d3c28d93427196260e54f493ee0

Download Submit