9f4f2b7a989de6d9069165c9074add98e248e30b99d7745a0f633c1495c06ded

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe
Size

44KB
MD5

8b34d774a90db8edcb21428f5a0ad0e1
SHA1

6cf189cffc4737b3c7e376af98d6b556b0f14b17
SHA256

9f4f2b7a989de6d9069165c9074add98e248e30b99d7745a0f633c1495c06ded
SHA512

6889637bb56f09ab40fe7083c1aa97fd9569eb9a9dd09f1ef76b5925c53b59702a3c659faa7b338ac7604758e933491caea31835b3de6b6b32df9551edcd9e2e
SSDEEP

768:tMQoGBwklqKSf2+vblbO1M72eJ9AYLacN5xyLO93kcPCjG4F8x4XrYI+GJ:2tKvylbR7h9Znr/9u64fVJ

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kusn33sd\ImagePath = "C:\\Windows\\system32\\kusn33sd.exe -j"	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	kusn33sd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KillMe.bat	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kusn433sd3.dll	kusn33sd.exe
File created	C:\Windows\SysWOW64\kusn33sd.exe	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kusn33sd.exe	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kusn33sd.exe	kusn33sd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kusn33sd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1688	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe
2356	kusn33sd.exe
2356	kusn33sd.exe
2356	kusn33sd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2536	1688	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2536	1688	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2536	1688	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2536	1688	8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b34d774a90db8edcb21428f5a0ad0e1_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\KillMe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2536

C:\Windows\SysWOW64\kusn33sd.exe
C:\Windows\SysWOW64\kusn33sd.exe -j
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KillMe.bat

Filesize
239B

MD5
7487b9fd6a0a7c89bcc75e73eedece3d

SHA1
ed21e843949001d7048138ad14b300a06110112d

SHA256
979dd64c0911d5fcb4544a193b856c410d61b634427d7536dca49949ab092d4c

SHA512
0f49735310b5b8dc502bd112d3ed7c662be54a51977eb5b011c11b6ff5ec1e9a79f401fb41763deebfa2223739b08d9ddeea4d5858ed1d4e0382453ebb3daf62

Download Submit
C:\Windows\SysWOW64\kusn33sd.exe

Filesize
44KB

MD5
8b34d774a90db8edcb21428f5a0ad0e1

SHA1
6cf189cffc4737b3c7e376af98d6b556b0f14b17

SHA256
9f4f2b7a989de6d9069165c9074add98e248e30b99d7745a0f633c1495c06ded

SHA512
6889637bb56f09ab40fe7083c1aa97fd9569eb9a9dd09f1ef76b5925c53b59702a3c659faa7b338ac7604758e933491caea31835b3de6b6b32df9551edcd9e2e

Download Submit
memory/1688-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2356-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2356-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2356-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download