b6f1c59482bfef35c59dd51e079b74fdd2f35a25dec1a180f656a0018a7290c4

Analysis

max time kernel
139s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
Size

10KB
MD5

85cba67f52c21578fc013c5dc2020aff
SHA1

fcc195dff33807c4e11066d5a52029c82ad82426
SHA256

b6f1c59482bfef35c59dd51e079b74fdd2f35a25dec1a180f656a0018a7290c4
SHA512

8442e24b6feef209e90596e0dfa3bbf2fd054d5bc8211c01dd3ef8f72ee3e5a983149eafda05dfa2109bb59d955ef2474bee15e95fbc2ac4798a734d3a8fa61a
SSDEEP

96:4yxvzsRAHNym+QkxDxSyTDemmGTXe/pK05sSwvjmvUuNucMKIE8:DxvIRQN1+Qk55aMrVPrx2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
536	me.log

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\newwn.tmp	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\newws.tmp	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\wininet.dll	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ws2_32.dll	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oldws.tmp	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oldwn.tmp	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newwn.tmp	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newws.tmp	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oldwn.tmp	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2364	536	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	me.log

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
536	me.log
536	me.log

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	me.log

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 536	4588	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe	84
PID 4588 wrote to memory of 536	4588	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe	84
PID 4588 wrote to memory of 536	4588	85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85cba67f52c21578fc013c5dc2020aff_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\me.log
  C:\Users\Admin\AppData\Local\Temp\me.log
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 352
    3⤵
    - Program crash
    PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 536 -ip 536
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\me.log

Filesize
3KB

MD5
d992f36db85b196563f6978dcde0f543

SHA1
7b87b4502bb082fdd03b706755495b88a684af4a

SHA256
ae6d48a67bc31a055cb47ec069e3282571ab939feedd5b3b530aa934def4b964

SHA512
2c8a6ccb74303714c35b78b34ba8b7fdc35cf7645fdf6cefb2b24c7bda47917d2677fa6703e674f5955410f9cce8f0c6672562e642ad8f28a8bb31cbf97eb9c7

Download Submit
C:\Windows\SysWOW64\newwn.tmp

Filesize
4.3MB

MD5
0fafc7dd4b21f3ff3ac171d3e02ad029

SHA1
61e382303d962632b4a53d0f9370e9419e5e0a1e

SHA256
3c843255c5882552247b16793585eec0701c90f95adccfa15011ec6039fc64dc

SHA512
df3cf9792dcbad5a8dd2d2df2b6e592ab4633d12607280f0ffaab9873638e35ad4888324dd29732f11c39afb76cb8721ae4cca01350225faa27ab3b94d355826

Download Submit
C:\Windows\SysWOW64\newws.tmp

Filesize
392KB

MD5
24f4ca4808b6da4ae1009389bdcb220b

SHA1
687c0b8d3ce0700866d7c41d259a29d42c041cd8

SHA256
29de066bb1fc0455c658b09d900bcc048f3dac6bdab059a1122aee96b8fd24b4

SHA512
08988ce490ed7a9d817a52d934f1f9af809573427ab2045319f9a3a4097741447a7ff69a3619ebbf432165e729606660b1f1a3b659b874880b8bf6f144b28bf0

Download Submit