0e5c57d5c3320b72234b8bc80200bf566b1277bafc433073caa73b8212dc7538

Analysis

max time kernel
140s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
Size

53KB
MD5

87e58c1a0be38d6c4787d73bc3a3c835
SHA1

2502520d4afc9b3cfa207638dfa9344a7738cdb9
SHA256

0e5c57d5c3320b72234b8bc80200bf566b1277bafc433073caa73b8212dc7538
SHA512

79b92136d036fa05a45adb5687c6b15be5e4b5c61b73b1eaa12ab29afa5728d56a53fa96e062d66904653f49c8bb828bbaf66e66a4f57b580b1bb099cda8acec
SSDEEP

768:Umrx/7AO1UTFSRM5Q/6ANtB36bw2iYLTyymErEJY+YZGPWouJK:U6A5kREQ/tJ36bw2iSjrEG+GlJK

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\libeax.dll	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\trjset.ini	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
File created	C:\Windows\system\smss.txt	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
File created	C:\Windows\system\smss.txt2	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
File created	C:\Windows\system\smss.exe	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
File opened for modification	C:\Windows\system\smss.exe	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
File created	C:\Windows\wsock.txt	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
File created	C:\Windows\wsock.txt2	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
1636	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2604	1636	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe	84
PID 1636 wrote to memory of 2604	1636	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe	84
PID 1636 wrote to memory of 2604	1636	87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe	84
PID 2604 wrote to memory of 1532	2604	cmd.exe	86
PID 2604 wrote to memory of 1532	2604	cmd.exe	86
PID 2604 wrote to memory of 1532	2604	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87e58c1a0be38d6c4787d73bc3a3c835_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /C schtasks /create /ru system /sc co_minutê /mo 5 /tn trjsrv /tr %windir%\system\smss.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /ru system /sc co_minutê /mo 5 /tn trjsrv /tr C:\Windows\system\smss.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\smss.txt2

Filesize
4KB

MD5
802d51ddd064be5418ae3523dbc5c2c4

SHA1
c4117a4b444659613735608e0198282aec683843

SHA256
dac9b01501913ba107d2e3b51a7c846fd1a852c1f58999b8055daf794a1775e5

SHA512
1527d31559542139c4a8fc16141e61ffb356c0be40eca4aee3413c950b96b0d09f232b468bceb18f2d9d5369a38d5596f2632517287392af3cddd9d7fbb55e16

Download Submit