4596c897e052801575780f5b66a35b2c48133964be075d4b5c891b54e222a7fd

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe
Size

463KB
MD5

83ce5b762ff2a9f73c83a79baecdc7fa
SHA1

c2707b0703798343364e32cd1b8ad3609be76d93
SHA256

4596c897e052801575780f5b66a35b2c48133964be075d4b5c891b54e222a7fd
SHA512

28ee0f3bb595176fee563f57865d02515cdfc48f25d83dcf5691d8dd3bb8a80eec864cf719ff238e1024e559e0ed09354fca973df1d65377e0e6d34b19cce72c
SSDEEP

12288:iLoSy90aG/0ccxa/ES1ilSgJbRcdK7HEU3:QyrG/0d+EjlP9MKz73

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
224	2.exe
5064	GIUCMI~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GIUCMI~1.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
224	2.exe
224	2.exe
224	2.exe
224	2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5064	GIUCMI~1.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 224	1580	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe	84
PID 1580 wrote to memory of 224	1580	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe	84
PID 1580 wrote to memory of 224	1580	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe	84
PID 224 wrote to memory of 3432	224	2.exe	56
PID 224 wrote to memory of 3432	224	2.exe	56
PID 224 wrote to memory of 3432	224	2.exe	56
PID 224 wrote to memory of 3432	224	2.exe	56
PID 1580 wrote to memory of 5064	1580	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe	92
PID 1580 wrote to memory of 5064	1580	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe	92
PID 1580 wrote to memory of 5064	1580	83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\83ce5b762ff2a9f73c83a79baecdc7fa_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GIUCMI~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GIUCMI~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
185KB

MD5
aed81eed8aaa5dd2a96ad2aca9f9230a

SHA1
0f782c46d7a9aab6877f9be2e28beb43cce5cb9f

SHA256
e3c1c56c0fc7cd64bf59a4e7783df3ee6025216b6aa99e2fa7e6262490e175b4

SHA512
b7f0c1af37a83bd5c70dc19e300ba9c54e1e70c69065a73a8a6d9c1887c172ba9406d76fcc2c5d9e3b76d98488e8f3eeb6e2b8a880b3e2e01b81b8bc89e4b69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GIUCMI~1.EXE

Filesize
292KB

MD5
2329791b1dbf51d816eab7ee28991719

SHA1
a9e88f4eefa0524a32d0e5f092b6e74583714ede

SHA256
ea7d10dd1789829edea370d8ae2c0a0ae6fca578c66d46cda37e8baa9eae597f

SHA512
079ba18b27b87c8d6a3f5553119800e438608924d76d480fc1d0483a3ef65806462104e3f46c9a8db3e5e4769dbacbbc123436c5223b0e601dd0a228b0d10907

Download Submit
memory/224-7-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/224-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/224-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/224-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/224-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/224-17-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3432-13-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3432-14-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download