b156300fe7c35a282f8bffbd5acffc5f62d0ccd064e5a32cdcfd3f2f39a70497

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
Size

857KB
MD5

87353e83707ae9961599a4472bb8bc73
SHA1

393fcd2a419d832021ce15ccf99466f57775b5cf
SHA256

b156300fe7c35a282f8bffbd5acffc5f62d0ccd064e5a32cdcfd3f2f39a70497
SHA512

0c842c9a4e7f2504a0de213bb87d72a9a1a8b4cb9e4a9b15c0e4f41f898ba7aa10f8ee74849bc55de6089d598907f4bcdffd6a902729f2bde95b6ac028ff4dcd
SSDEEP

24576:uc//////FqsVqMyLrr4cWRSvEPaVspeYmVnwO:uc//////YrNrrOCEi+/0r

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2676	Ë«¿ª²¹¶¡.exe

Loads dropped DLL 9 IoCs

pid	Process
2640	cmd.exe
2672	cmd.exe
2640	cmd.exe
2672	cmd.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2560	WerFault.exe
2560	WerFault.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2560	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process
2560	2676	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ë«¿ª²¹¶¡.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	·þÎñÆ÷×´Ì¬²éÑ¯.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	·þÎñÆ÷×´Ì¬²éÑ¯.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe
2808	·þÎñÆ÷×´Ì¬²éÑ¯.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2640	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2640	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2640	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2640	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2672	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2672	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2672	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2672	3044	87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2808	2640	cmd.exe	34
PID 2640 wrote to memory of 2808	2640	cmd.exe	34
PID 2640 wrote to memory of 2808	2640	cmd.exe	34
PID 2640 wrote to memory of 2808	2640	cmd.exe	34
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2672 wrote to memory of 2676	2672	cmd.exe	35
PID 2676 wrote to memory of 2560	2676	Ë«¿ª²¹¶¡.exe	36
PID 2676 wrote to memory of 2560	2676	Ë«¿ª²¹¶¡.exe	36
PID 2676 wrote to memory of 2560	2676	Ë«¿ª²¹¶¡.exe	36
PID 2676 wrote to memory of 2560	2676	Ë«¿ª²¹¶¡.exe	36

C:\Users\Admin\AppData\Local\Temp\87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\·þÎñÆ÷×´Ì¬²éÑ¯.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\·þÎñÆ÷×´Ì¬²éÑ¯.exe
    C:\Users\Admin\AppData\Local\Temp\\·þÎñÆ÷×´Ì¬²éÑ¯.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\Ë«¿ª²¹¶¡.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\Ë«¿ª²¹¶¡.exe
    C:\Users\Admin\AppData\Local\Temp\\Ë«¿ª²¹¶¡.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\·þÎñÆ÷×´Ì¬²éÑ¯.exe

Filesize
761KB

MD5
ff30f22d2ad36ebd994b3d84341cfb0b

SHA1
5790d0cda75206fb0b285b2bc0852dc6486fc213

SHA256
18203894f4ca3929deeca2dfd03116c64b40cb5b239e68879b931b71ff9f2157

SHA512
fba0ce2af40327769f45cb8d2856d333db1b5dde595e4c71e2c16101a61fb7d8bfe8cf1d39f8d67c83da9e34fd80085ec5f1b7a097222045e95660a1c0a11555

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@AF8@1E70D78.###

Filesize
2KB

MD5
e1fe2d00681cc4b446d98df05f1ad942

SHA1
4e625c8ca6e33da097aa8467c5cb89eb6ca36a11

SHA256
7ae7c485a9567b785ed25306de4b8c76499da0cda7e61a4a3192905623dc5f35

SHA512
2a1f558e9e6323e33a7bfb362768b034b293a7be84e7940f9c67ce5fa98fa37ae0cd2dc7713538b7d828a5c5cf5f5187eff834a1c476eb0e5b86bc67fdcd5eb7

Download Submit
\Users\Admin\AppData\Local\Temp\MBX@AF8@1E70D88.###

Filesize
2KB

MD5
cd086e8af1ce87793b34528f0ce8a732

SHA1
9c9e5cc3bf9ce159b98083a53a046807c584cbb6

SHA256
8402cdb13b16c62871dd853f7526bc68e1973ec57f35b7b931103e88d31f7f9a

SHA512
0e5f3b3a4ba616d314add2c2381e53205e37d911a0aee68502aa5c8a92eb53b540cb7e1417131a6847e1644063e28f4a807f5017c7e4ba551e1ea5c87125ef23

Download Submit
\Users\Admin\AppData\Local\Temp\Ë«¿ª²¹¶¡.exe

Filesize
17KB

MD5
95c93370200a75aec0f41d79088323c3

SHA1
c5f6eb49d5cd606c5c94120689c253a3436060b6

SHA256
30493eb9174dd9f42baaee65ad3a1fbdb17485b3856fbfb49574cb6ef4eaef5a

SHA512
4a5368a0b01cde5dd4869f7dca1abc7f1553a0fb08d8d3956d0089e1bc206d5a6590bedaef7d7e9e309f8de938e6f1899294fe5f71af7d9d28e9df4afde21082

Download Submit
memory/2640-5-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/2640-15-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/2640-69-0x0000000000120000-0x000000000015C000-memory.dmp

Filesize
240KB

Download
memory/2672-17-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2672-68-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2672-14-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2676-19-0x0000000010001000-0x000000001000C000-memory.dmp

Filesize
44KB

Download
memory/2676-12-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2676-13-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2676-18-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2808-34-0x0000000000540000-0x0000000000579000-memory.dmp

Filesize
228KB

Download
memory/2808-71-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-27-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-25-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-36-0x0000000000540000-0x0000000000579000-memory.dmp

Filesize
228KB

Download
memory/2808-35-0x0000000000540000-0x0000000000579000-memory.dmp

Filesize
228KB

Download
memory/2808-115-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-33-0x0000000000540000-0x0000000000579000-memory.dmp

Filesize
228KB

Download
memory/2808-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-65-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-66-0x0000000000540000-0x0000000000579000-memory.dmp

Filesize
228KB

Download
memory/2808-24-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-23-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-75-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-79-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-83-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-87-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-91-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-95-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-99-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-103-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-107-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2808-111-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3044-2-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download