34dfa393420e082474bfc01a61776b2c9bfc090608b17b29288da0b03f6bf506

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
Size

84KB
MD5

8800be9096fe4872e59265cd9a23b173
SHA1

18908f602d158554e453cfdb8d5998303f02bddc
SHA256

34dfa393420e082474bfc01a61776b2c9bfc090608b17b29288da0b03f6bf506
SHA512

970520c7eb12e196621c1efafd81b8f3275cfe0e330f7180818f4e25cef86d649396eec67b402814b99850274f5bee2bcd205a11f7050759bff92b1fa121d183
SSDEEP

1536:6r7R+LVGdm9REBJNMOiyF3O8U44LsLWiFTcS3:u+54m9XIF3zU4YsiiuS3

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	Explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	Explorer.exe
2804	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
2828	Explorer.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wdoewdjwgl\Path.rcd	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
File created	C:\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Wdoewdjwgl\31408	Explorer.exe
File opened for modification	C:\Program Files (x86)\Wdoewdjwgl\24205	Explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe
2828	Explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2828	2720	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe	30
PID 2828 wrote to memory of 2804	2828	Explorer.exe	31
PID 2828 wrote to memory of 2804	2828	Explorer.exe	31
PID 2828 wrote to memory of 2804	2828	Explorer.exe	31
PID 2828 wrote to memory of 2804	2828	Explorer.exe	31

C:\Users\Admin\AppData\Local\Temp\8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe
  .
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Rqqilq Ngzgykue\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wdoewdjwgl\31408

Filesize
11KB

MD5
6372b1b2bfe92ba75673d31da03aedc7

SHA1
df694f6e8d16170fc7721cc5c8504b689deda4a5

SHA256
d1e10a5d79ee2005e8d2a124c101f210fcb2a12895d8eeea09b5be056ad6b48f

SHA512
25e513c75d4a089b87b8138fca2a17c74e68c1921b615f3f2ed61768a36bdc54094a69f4d3fcf65bdf281452f5c5387beb4cf6764b321e56dd18ec9e575dd2a2

Download Submit
C:\Program Files (x86)\Wdoewdjwgl\Path.rcd

Filesize
260B

MD5
53ed2f8a31c80ae9fc436c92fa0f337e

SHA1
05b0d25eae65a540dc0ca5b14d270a71ccbcebdd

SHA256
845027c4ef29fdc552a1b194232bff1baad19f40b2b4fa9b5a8f100d2bf6b43e

SHA512
6843b007482ea212c6c573fbd8a2f8d766c1e813a575680cb596e2e8588df9d4418e15d3f7ef3083fd7875f10639ec6e9431b33b4f407e76322f5bad9fd42f7d

Download Submit
\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe

Filesize
2.6MB

MD5
c214226270f3099478dff856eb3b2c77

SHA1
033fb6ee402db0b6d3deb8b73076e3b216fe1c0a

SHA256
c33f0a44a1c95be3af458f50ca67e3aa33ac13b8d09b04ac4c3afd5ec7fbe0c7

SHA512
cfe7e94bb7cc8a5d663552983f2966f75592091c3a7b45f4a8789b782cfac32142531427284bb22df77a5f681102fe621d72fd9fa6b177f6eb1f11687c16e09c

Download Submit