979b8e2d914c3a449e7edb832eaaec40ed6b721f4a48efd8c196114e7bfb3608

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe
Size

7.1MB
MD5

89d6d7ad138daf08750263d161a63655
SHA1

776016cb920e7143baed1a8e39462809a342a945
SHA256

979b8e2d914c3a449e7edb832eaaec40ed6b721f4a48efd8c196114e7bfb3608
SHA512

8ad10ad5f63ca9a5968578032f8ec0a2f581e0a5f38f7dc96f2e6cf40645eea8d3c5f4727d6c4ce5f116b846dcfbaecee39e25a10a67148dc0de9b30e1187a09
SSDEEP

49152:pMIumu68CLfegNTX3SdgdOBoS52GDTz58XJWTG1K/mqucutXSr/oOA3SChiyB9S/:C5n6xegVfQTzWJsut9Q/nqEJ4ev

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe
2748	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2748	2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2748	2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2748	2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2748	2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2748	2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2748	2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2748	2376	89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89d6d7ad138daf08750263d161a63655_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\~sfx003ADDFF1B\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\~sfx003ADDFF1B\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~sfx003ADDFF1B\schoolpcteacher.exe

Filesize
1.8MB

MD5
06c26584acb47af80ee71cfa03b97657

SHA1
8cfd08ca5f460a131c83c434c78ac9e7e2601c60

SHA256
4352ece1d7dc7978831dfaedb507ea148267820e8583b9d9cb6b3bd92e5a2493

SHA512
17d6309ec45ad244f4ab302ab975a0a8d475c379d909c1074c3a3711a6f468a0880fb99e4153b56a5dff3311044de3167d7fa8e4fbc05cc3be13e4748f10cddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx003ADDFF1B\setup.ENU

Filesize
43KB

MD5
4bc60176408b712e9491636b178a6baf

SHA1
40e54ff7a4ca1c6d6fcc949e1999fbd7319d8936

SHA256
b1dd6a99481afadb1152572a869f8017e238a2d45a28c752a0d4a1635a1bed5b

SHA512
2d3807ff3af249116c765f1aef913430a5f905374e3a6d3856d2cf1112be5fcf7c09aeddd394b52e53f3415a89561c66b68c5ab2eb68640a8bf525628b19f803

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sfx003ADDFF1B\setup.ITA

Filesize
43KB

MD5
cf11c849a708eaacf128e660f53cfdaf

SHA1
0a1781b37de434f92bfda8e815e63dd7dfabece5

SHA256
4e669b56e92e54294130cf003df497519bbf25eb2007e977aead9229ea6b4de8

SHA512
6a6bd1e72a57671169a8aadfd75a0383705f12f0be1ead3010eea598f25eedd74d4e93cc2429c465f6b02a107d7d4d809d05ab5ed69163e2efe84d0c2d6531b3

Download Submit
\Users\Admin\AppData\Local\Temp\~sfx003ADDFF1B\setup.exe

Filesize
1.2MB

MD5
2f7c0bcfa106247c05f8ac54154434c8

SHA1
88e9bd98f91517e1995bb5d39396a7da180d9a13

SHA256
a16d1f4453b9a457ede1d54635ccb02c9d166167e61dfc0495a93bfd010d3e15

SHA512
ff1885520a820d74320944bb00e1bbbff2902e6834251b2a043eb59789952fe042c6ba26680160347c398e536d74b0edf814fab8175d4b1a4ea974a9d687d8bc

Download Submit
memory/2376-39-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2748-40-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download