5cf1ca2caa9d7c711cfc13106e72f818e2038f1323a88fd73773dbca7c476840

Analysis

max time kernel
141s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe
Size

528KB
MD5

8bd6442dc984969bbeea89dd35f5f759
SHA1

c0442996778c7ff0a35bcf0677d42c33423a089e
SHA256

5cf1ca2caa9d7c711cfc13106e72f818e2038f1323a88fd73773dbca7c476840
SHA512

e3c5717733153219d1a4e96f22a1bab09cc7999dcad5fd3cdecdff2254c4dc574e51d7632802e1978dbb5b295029eb35f39d99d5273c84d8f0045d1339e230db
SSDEEP

6144:7yH7xOc6H5c6HcT66vlmKhggtWKdC9UGy+DTPL1vMi3AYXZq/azNQXVMGhR+xwcd:7aqFlXTPhvHA7azeJYwDdjmuale9A

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
996	svchost.exe
2916	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe
2724	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
996	svchost.exe
996	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 996	3040	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe	29
PID 3040 wrote to memory of 996	3040	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe	29
PID 3040 wrote to memory of 996	3040	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe	29
PID 3040 wrote to memory of 996	3040	8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe	29
PID 996 wrote to memory of 2916	996	svchost.exe	30
PID 996 wrote to memory of 2916	996	svchost.exe	30
PID 996 wrote to memory of 2916	996	svchost.exe	30
PID 996 wrote to memory of 2916	996	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2916

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
\Users\Admin\AppData\Local\Temp\8bd6442dc984969bbeea89dd35f5f759_JaffaCakes118.exe

Filesize
492KB

MD5
a7f2ec9ac36eb4fe3ba0781a5cb86998

SHA1
af843f96cb987cc8a2cdf14c8207c733c0da160e

SHA256
fecd7c674943534d9b785314fd188c71e0a4bde8f254f53a4ec82de74f476989

SHA512
2f9992fece41690060a073be24aaa557e0bda6531347135cb22668a3c73bc6b76075480762eabac3f5047c883b7c6e6edda945728b87601b6ad70127273119f2

Download Submit
memory/996-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2724-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2724-36-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3040-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download