274f1c4d4ce69b926cb8cf99a8f742cd912c95fcdc47bff187cada2945e2d331

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 10:27

Target

8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe
Size

56KB
MD5

8e61df0bbc87ff38d6e96cc453d410b0
SHA1

0e534531362092e3999f1246a2bb27eeaa751cee
SHA256

274f1c4d4ce69b926cb8cf99a8f742cd912c95fcdc47bff187cada2945e2d331
SHA512

027a0f88da48aa8fef2e3caa879466e29f5539e1171a8a7caff84e11bb02e69c5bd65748b621555645d8f06fb2eff69e7cb3a7efb538aa6b290ecfb953f1f7b7
SSDEEP

768:YP+mSdiRrBqIBsUF37qdN5iXcXT7lYMh8s:YGmSk2G2PYls

Score

6^/10

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\msn.exe"	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hpreg.dll	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1736	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2432	1736	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2432	1736	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2432	1736	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2432	1736	8e61df0bbc87ff38d6e96cc453d410b0_JaffaCakes118.exe	31
PID 2432 wrote to memory of 1664	2432	cmd.exe	33
PID 2432 wrote to memory of 1664	2432	cmd.exe	33
PID 2432 wrote to memory of 1664	2432	cmd.exe	33
PID 2432 wrote to memory of 1664	2432	cmd.exe	33
PID 2432 wrote to memory of 864	2432	cmd.exe	34
PID 2432 wrote to memory of 864	2432	cmd.exe	34
PID 2432 wrote to memory of 864	2432	cmd.exe	34
PID 2432 wrote to memory of 864	2432	cmd.exe	34