398c1ff811c065dddc14d61df8d1cfc0b4523b20efe41cab16be226b41b66b85

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe
Size

264KB
MD5

86a0b994067b5f3fb91197d48333cf71
SHA1

98fddf93494fcdab5d5a21d01ce8f303d41fe30a
SHA256

398c1ff811c065dddc14d61df8d1cfc0b4523b20efe41cab16be226b41b66b85
SHA512

e27e40a22be140a2dd133d02db3141325913756acf8cb447c2a67b1e1f9506f0c530b94a553df442404fbbc473deb0d758063b0a7ebbef25c16d23c02c8b9e51
SSDEEP

6144:KgwAIiUKjIYI/wwrT0gr3tNPNNJLcg4xnXWIkEE0:Kf9pdYI/xjFugKXVk70

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mstimewd.tmp	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mstimewd.tmp	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mstimewd.nls	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3068	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3068	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2320	3068	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2320	3068	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2320	3068	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2320	3068	86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86a0b994067b5f3fb91197d48333cf71_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\D1B1.tmp.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D1B1.tmp.bat

Filesize
207B

MD5
e9c5a142574080f47f3e9ccf592d2a0f

SHA1
96d906b86660472fac6d0518b1bc101eccd2cfdf

SHA256
9ae1f28dc280116d5f8739c5ed3b09e22e2be9edc8cb30add50eea51988adb5a

SHA512
42df15ebfc5c79a488c466f885ced7ff0d0cc8bd0653033d1fd41c88e82842e91e81c8e81fc33158c5aba270f9df9ced9d2a99a47ba9055d37baa84c78c468bf

Download Submit
C:\Windows\SysWOW64\mstimewd.dll

Filesize
1003KB

MD5
e53b17df3e9f38807325f31f7cd99146

SHA1
edd629281d67495638a0da9dc05f868021d23c55

SHA256
ac33abc44eb5eb173b343f8a411b5ef5465e9ab0a1836e07a1e9790e835f88e9

SHA512
11f7b99a16cf1478dbd0db1e37ed785399106d8ceedb16f03ed504e884475cc98e4bd89deba1d0a0eb278e689c76e319af033c85065148b3011560e9b68c653d

Download Submit