e6a0aac94e9aee1a1704f968436547d5e6850c377098616fa0509ad71b41da34

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 01:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
Size

160KB
MD5

8869b1326f728580b980a3945f9319a5
SHA1

51d91fd2259bc48d41f41488310696c6b4804c7b
SHA256

e6a0aac94e9aee1a1704f968436547d5e6850c377098616fa0509ad71b41da34
SHA512

6fe5bfa38294f66d0d2fbba4cb7476fc84b8db5d67074f2ba7ec723b07c50779aa7722b786deda36e6f56ab6a42bb439b8c7188e8fd8d213d910e9e432afa206
SSDEEP

3072:kNhrtfTpc8X5ob/qJ9ZhUT0AmS156VBgiiUi9or00VLKPE+87PV6vmO:shrtFcHqJTcmS15IW7Tzvl1/

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nbjs.dll	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nbjs.dll	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\1.hiv	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
Token: SeRestorePrivilege	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
Token: SeRestorePrivilege	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
Token: SeRestorePrivilege	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
Token: SeRestorePrivilege	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
Token: SeRestorePrivilege	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 5036	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe	85
PID 548 wrote to memory of 5036	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe	85
PID 548 wrote to memory of 5036	548	8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8869b1326f728580b980a3945f9319a5_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c nbjs2008.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nbjs2008.bat

Filesize
2KB

MD5
11a9bfb679406a855b41aa4e308558bc

SHA1
ccc77cc33a7dfee9c4a37602e9bedf2f8024f38d

SHA256
bf0b92a0beee4053e35dec4d4c3af65c96043fa2d3e72aaee5dba2f413e39555

SHA512
cf7470637c1f8a590fcf04c0537285ce823751914d54553122075ebe02ae507e23ae78e76a015b95ceb6ba6c463ee33640939671acc920f4923dbc0a8a6ba571

Download Submit
memory/548-0-0x0000000000400000-0x0000000000436C34-memory.dmp

Filesize
219KB

Download
memory/548-5-0x0000000000400000-0x0000000000436C34-memory.dmp

Filesize
219KB

Download