3eb13f59862b0b8704f47dff670d4f139a3a19e4eceb7b8f3ba2ef78927c49de

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 05:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe
Size

48KB
MD5

8345c52025f7860b56af8dc767cf9e2f
SHA1

c936ed3fda608394ceef756f7a7366aaa336063f
SHA256

3eb13f59862b0b8704f47dff670d4f139a3a19e4eceb7b8f3ba2ef78927c49de
SHA512

5655a1eb093bca6310ba4020b6d08abb12bb554c498db0d6e420096944c1b51b64db862dcecd8e783a2881060bd3ed8d0f427803fc62ec59a286aa2674b80b40
SSDEEP

768:oK2f1pfN8B7Zqf+Rbnh5PaUYzdaMIYQz86CHiPiBFTCk9TO7nESmjid1Trqfd0wC:oKgHuNqabn9mk2TC053jQ1Tr22wOMgJ

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\A8192425\ImagePath = "C:\\Windows\\system32\\B13CE1C0.EXE -A8192425"	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4048	B13CE1C0.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\B13CE1C0.EXE	B13CE1C0.EXE
File created	C:\Windows\SysWOW64\delme.bat	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\248C5B2A.DLL	B13CE1C0.EXE
File created	C:\Windows\SysWOW64\B13CE1C0.EXE	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\B13CE1C0.EXE	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B13CE1C0.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4164	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe
4164	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe
4048	B13CE1C0.EXE
4048	B13CE1C0.EXE
4048	B13CE1C0.EXE
4048	B13CE1C0.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3152	4164	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe	86
PID 4164 wrote to memory of 3152	4164	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe	86
PID 4164 wrote to memory of 3152	4164	8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8345c52025f7860b56af8dc767cf9e2f_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3152

C:\Windows\SysWOW64\B13CE1C0.EXE
C:\Windows\SysWOW64\B13CE1C0.EXE -A8192425
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\B13CE1C0.EXE

Filesize
48KB

MD5
8345c52025f7860b56af8dc767cf9e2f

SHA1
c936ed3fda608394ceef756f7a7366aaa336063f

SHA256
3eb13f59862b0b8704f47dff670d4f139a3a19e4eceb7b8f3ba2ef78927c49de

SHA512
5655a1eb093bca6310ba4020b6d08abb12bb554c498db0d6e420096944c1b51b64db862dcecd8e783a2881060bd3ed8d0f427803fc62ec59a286aa2674b80b40

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
114854c9b2e2a3203ca6499dc8e52e34

SHA1
2dffac0194510c6cfaf21ebd795af31a73cc1250

SHA256
a941618bcc4e347ff1c4452af2c9c16e2055c7216201c33c06defe38976233b9

SHA512
ee3ca9154e2c4bfc060599ef663102b2872c313d0a93458f0e02603e1edc52bd7fdc6ed3c0480eda0879184d6a097d60d376b78848934f50a6cb9072c38f77f7

Download Submit
memory/4048-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4048-6-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4048-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4164-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4164-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4164-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download