48a959c2ddc869271a1419639171ee24878370291e4c22a25f74fb149a94d8d0

Analysis

max time kernel
141s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe
Size

743KB
MD5

85e9f96027edea14f0ae087c7003438d
SHA1

e83e68d4f1ccf93429235e27abc06f07dba5dc9a
SHA256

48a959c2ddc869271a1419639171ee24878370291e4c22a25f74fb149a94d8d0
SHA512

86f2bd351ce01d5448bbc371ae81100b474d226185a179fb13476cbacbfd5e665529fbac3c6add3e792dd353cb7069722b25eddf817dea520e1c1118553cf205
SSDEEP

12288:DRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GPHvZyIk9tQQ52LYRg08yPwDRui:98MU4ufxdW5A2mJr/kNHvQIk9h3Y

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
948	360stay.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\61642520.BAT	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe
File created	C:\Windows\360stay.exe	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe
File opened for modification	C:\Windows\360stay.exe	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360stay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe
Token: SeDebugPrivilege	948	360stay.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	360stay.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2256	948	360stay.exe	30
PID 948 wrote to memory of 2256	948	360stay.exe	30
PID 948 wrote to memory of 2256	948	360stay.exe	30
PID 948 wrote to memory of 2256	948	360stay.exe	30
PID 2052 wrote to memory of 2880	2052	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2880	2052	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2880	2052	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2880	2052	85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85e9f96027edea14f0ae087c7003438d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2880

C:\Windows\360stay.exe
C:\Windows\360stay.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\360stay.exe

Filesize
743KB

MD5
85e9f96027edea14f0ae087c7003438d

SHA1
e83e68d4f1ccf93429235e27abc06f07dba5dc9a

SHA256
48a959c2ddc869271a1419639171ee24878370291e4c22a25f74fb149a94d8d0

SHA512
86f2bd351ce01d5448bbc371ae81100b474d226185a179fb13476cbacbfd5e665529fbac3c6add3e792dd353cb7069722b25eddf817dea520e1c1118553cf205

Download Submit
C:\Windows\61642520.BAT

Filesize
218B

MD5
94ddf870ba5c87cc32d72ad1b232c347

SHA1
192e9542b97a9b1adcd0247e829a4597f4720045

SHA256
16ba3890221281622729fe20edf024cb4b1175731a5371c80947ead0a6153cb7

SHA512
3e27b5b4a7eb4fd97cc5582e418f72195fa561610a52ac7d8d047d8d0a45268c8de3c249de2abb0f12d3566a6f1104215e7f51c23e037bf3d5f2153f665f2803

Download Submit
memory/948-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/948-5-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/948-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/948-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2052-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2052-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2052-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download