a49ac03a4abd8b511af4beb244d56baf31cb66efd36499f83df5ae666650bc0b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe
Size

1.2MB
MD5

84125d2136fb539ab27bd790f34be491
SHA1

6f105e4603f9b19b0cf8589e8143d0c269fb9d0b
SHA256

a49ac03a4abd8b511af4beb244d56baf31cb66efd36499f83df5ae666650bc0b
SHA512

143662efc7ee0899b529567ed1e2592e1de7d6e51f8a702cfbf701d9f594a20902258ac0d23eb13e9b0c162d677b3be4fe852a5f391b60c8ed6bbbff5f34c61d
SSDEEP

12288:YUEBLOou6QkHn7udX08j5JcPPPNdp73rigJJI9XJyjA9O4Ib4J8mAW03k3WKeXBI:TEBLQ6QkH7/P9DriII9iOO4mhT0NeemI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2544	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe
1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe
1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe
2544	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2544	1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2544	1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2544	1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe	30
PID 1700 wrote to memory of 2544	1700	84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2832	2544	explorer.exe	32
PID 2544 wrote to memory of 2832	2544	explorer.exe	32
PID 2544 wrote to memory of 2832	2544	explorer.exe	32
PID 2544 wrote to memory of 2832	2544	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84125d2136fb539ab27bd790f34be491_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --ch=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\23097.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23097.bat

Filesize
183B

MD5
6f4641a52364cde7bf57bb14a541f272

SHA1
8aa34dd6c5e81e8eced4ed98f3db0bcab522c8e3

SHA256
8e5928b590bd5e554053aaa736c4d87c664da02672028b3d3b55d4e8b095da94

SHA512
81abc03263439ca48889d7e2833f494f5e3c6ce8164258a8d39090b57694b8f20763a619225299886effa9770fd1fea61db7492fd26c8eba25392dc9b3afd5d3

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1.2MB

MD5
84125d2136fb539ab27bd790f34be491

SHA1
6f105e4603f9b19b0cf8589e8143d0c269fb9d0b

SHA256
a49ac03a4abd8b511af4beb244d56baf31cb66efd36499f83df5ae666650bc0b

SHA512
143662efc7ee0899b529567ed1e2592e1de7d6e51f8a702cfbf701d9f594a20902258ac0d23eb13e9b0c162d677b3be4fe852a5f391b60c8ed6bbbff5f34c61d

Download Submit
memory/1700-0-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1700-1-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1700-11-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1700-27-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2544-10-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2544-12-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2544-25-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download