312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Size

156KB
MD5

834e4fb336d864affdd5a03d7a930905
SHA1

4a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9
SHA256

312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694
SHA512

1541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166
SSDEEP

3072:Y6AOL9lqh+NzQ7Ql5YLrPcb+T9loA9wHzWO9Hmlk1njaT:Y6AuVNAQrWcUoA9wT7kkV

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2604	iexplore.exe
2252	iexplore.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	cmd.exe
2524	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.œ"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.\x18"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\{admin}\\iexplore.exe"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.\u00a0"	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\iexplore.˜"	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet Explorer Resources = "C:\\Users\\Admin\\AppData\\Roaming\\{admin}\\iexplore.exe"	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2604 set thread context of 2252	2604	iexplore.exe	37

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
Token: 33	2252	iexplore.exe
Token: SeIncBasePriorityPrivilege	2252	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
2604	iexplore.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2672 wrote to memory of 2764	2672	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2820	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2820	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2820	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2820	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2524	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2524	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2524	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2524	2764	834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2604	2524	cmd.exe	36
PID 2524 wrote to memory of 2604	2524	cmd.exe	36
PID 2524 wrote to memory of 2604	2524	cmd.exe	36
PID 2524 wrote to memory of 2604	2524	cmd.exe	36
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37
PID 2604 wrote to memory of 2252	2604	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\834e4fb336d864affdd5a03d7a930905_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\JBORE.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\RMBEG.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
      "C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
        
        C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\JBORE.bat

Filesize
145B

MD5
c33f56c62e07c5b69fb4a1f181a3bec4

SHA1
e736a92c32f330a35f5efdf4fe938f9b10f3fe68

SHA256
008c1aaf5af78b882282f256f276883aa9a152b9c71ab990fb79ff7d0368e93d

SHA512
7c32f47f06cdc5248261830dca62adb5be5a0bfa5724eee294702b439b69507fd33ee8dc50ef97994bb9571a51ddde32e1ce1b70a4b69a89f26b1ff02075ff0a

Download Submit
C:\RMBEG.bat

Filesize
53B

MD5
717473935c780a6d872923e441179ad0

SHA1
e52edaa1fb65498fd7f9cfab709e89bf4e6e9d91

SHA256
ae6d39e6b875d9ad0e3726f0e76dcc1694987a10630b42641998929e8361a116

SHA512
553a250edf1458e298c319db622c26a49cdab873b92dcd44970f86e407b38c44478cb870683c7fad7e863d29c30a483d47c0e5ac486bb11c03ba76ce16c3dd40

Download Submit
C:\Users\Admin\AppData\Roaming\{admin}\iexplore.exe

Filesize
156KB

MD5
834e4fb336d864affdd5a03d7a930905

SHA1
4a09c7569aa4a3fcc5a862b2a1b795047d8cf7f9

SHA256
312efa97a99740c006036a7771bc29ded76709e61f285cfee5c2f1caf52da694

SHA512
1541fbc193a6765f020c99eb983c03f93258394055a688bbb6b372135bdccb809843169205e38ede2f0b36ebd5ce9aba3b8ee98d155f3ef17f14ff39d2c7e166

Download Submit
memory/2252-60-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2604-40-0x0000000000640000-0x0000000000793000-memory.dmp

Filesize
1.3MB

Download
memory/2764-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-24-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-6-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-4-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads