dc673d9e5057c91373ee2a26ba7e1b363ba1071d07c4d6fa85c610b07568f436

Analysis

max time kernel
37s
max time network
37s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 13:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
Size

2.8MB
MD5

8efbc7722bf8484c2aa4c9f0e69aa5c0
SHA1

a01271cbc63aee455e2829dc9aa5810ddacc7161
SHA256

dc673d9e5057c91373ee2a26ba7e1b363ba1071d07c4d6fa85c610b07568f436
SHA512

7919898b3b1d0484aa1f6305ffc1b3debe33782638509b9bc2bdbe6b4428ea01442ad309999995eb358be0d5df6bd5ec8eebe57220e8dfdb2b19f9bd2df290df
SSDEEP

24576:VHOdSYZkkEviIyPvS8rSWWivqg+BYLjAG6sTjjBVuL9Qcq2VJGXJopw+ruYJ4mdC:JNujjBVoragxnT57mwQ9n

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2756	explorer.exe
780	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
2756	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2756 set thread context of 780	2756	explorer.exe	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2820	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
2820	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
2756	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2820	2380	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2756	2820	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2756	2820	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2756	2820	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2756	2820	8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe	31
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 2756 wrote to memory of 780	2756	explorer.exe	32
PID 780 wrote to memory of 548	780	explorer.exe	33
PID 780 wrote to memory of 548	780	explorer.exe	33
PID 780 wrote to memory of 548	780	explorer.exe	33
PID 780 wrote to memory of 548	780	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8efbc7722bf8484c2aa4c9f0e69aa5c0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\28365.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28365.bat

Filesize
183B

MD5
20a1521427e5cb4b0ebb33e03b76bc0e

SHA1
fc6fa1fc22498780172634e13ddc782cad5b73cc

SHA256
70273bc47d4e82026ba6b068cf473e29b3442b8c38b2cffb575aff35c2414660

SHA512
87c7d4985898d1381aeb961b0090247a6c39b29ed61fa130b2b64eb9d8af41d3a5aeec5e6c935d08711723e258306daf238a43a012ad8ed0b790181998f7c62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~21A.tmp

Filesize
16B

MD5
0f29ccdcc81b9de9e83cb54ef404a25f

SHA1
ece86cd2c0dcb7cedea44bafbd750efbb1b6050a

SHA256
f5a8455b57751e1b83a55517c15d32686fdf7893122d3f2ab5d1d67e10aca9f3

SHA512
11dc65469438d2bfab36500b412031b7f7140f8a08e6aae7052496b635691feb5d75a66b4ea089dc78be8ba3fcb3e0666a8e2340811f7f136101112a197f822d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~22E.tmp

Filesize
16B

MD5
148b389d77fb259ed4888efd75c439d4

SHA1
7e592c3aef88898975ca3a137c6c90c609b2e3b4

SHA256
ce96bde80d0f8b067eed2120a85c5659ddd8889e8358c934e6d01f7e138ff61e

SHA512
80a9d901fa501333a23b80066e14cd8937af7b72a8ff4b621e09dda34510429d61c81a1d41e3701a7c661669e7b479c5a012350edaa1628c9be43b48f94297d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~260.tmp

Filesize
16B

MD5
7899e885fcba3115bcc862b03b6b4f78

SHA1
7aa6c0ed58a8f6809a6264b768dbbdfcb6269f61

SHA256
2966f80d6744e706d509dbf00c47f300917ab84a359e308d8a26b3a01a99fa2e

SHA512
3c1123b2e9b714634405fee9e9fabc1baa11e8adf343462605e30c22ba527efb03557fdc172532d2d1873da7d8ecfdae1719a45c0d81805d2dabb22605741af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2C5.tmp

Filesize
16B

MD5
ee5c64d7757148e83b837b3868b640e9

SHA1
6b74108d10aebc70d3309f710132f2ce8d32a3ba

SHA256
9f25270b0eb81fa4660844cc051e486ea09b4ff2cb445d8abf7ae2988023eae5

SHA512
002797a6c317dccf6ae6ea478a64362efe990557afe27415957b5f3cecf5f077513b634b4d60cc64c35d5df2f93df113df3e2c83771c806edfb24bbe33ae8d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\~357.tmp

Filesize
16B

MD5
6af9c8fc09f80098ada68310bca5a378

SHA1
876305c11d75b0eb258029436d9fe45d50d168d8

SHA256
8c438bdb1907a64e7478f1c7a2bd5096832bb0b89fe0c01b1e3751edac8aadad

SHA512
038ddb8c17a464ffb84685d888b8a5239dd997e8500c85881d8b5c456f6eadf42f5c4be23ecfb97c9fcab2b62398f5f1cd27fbe53c73f61eda6aef6d4254ee5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3DC.tmp

Filesize
16B

MD5
5f39fd389f12ae05d2cb577270532a8c

SHA1
839ae15791de5e023e0249db3b77c2fb039678c1

SHA256
0a343526084531b4719f6bc192e7d6293ff80df2d999d60c34f9cf05800f27a8

SHA512
3371547d1cde8c8856daf524e58a441349be7cf61c3bb17d3a2c867fbede2d923ac7dd1fc37e912216c955432c3a428d947dc402ae76cf0d9da40e611d494a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4D.tmp

Filesize
16B

MD5
d6ddda24b1dfccc8cacbf1b2a0d271b2

SHA1
04949cdf06204c1aed69c856c17d36c1c101a057

SHA256
7a5198e48a34fcc3d6da61e0b476427e62053841b7cfbce2dedbbfb32793123c

SHA512
b6717a08fa282bfd9d0e2e2e74e514254ea886d5cb362b064ca54b55fc45a9da834f6adbb21afd18b6ec0561ef8815d0f58f7042467c8ec6616b73b36f797173

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
2.8MB

MD5
8efbc7722bf8484c2aa4c9f0e69aa5c0

SHA1
a01271cbc63aee455e2829dc9aa5810ddacc7161

SHA256
dc673d9e5057c91373ee2a26ba7e1b363ba1071d07c4d6fa85c610b07568f436

SHA512
7919898b3b1d0484aa1f6305ffc1b3debe33782638509b9bc2bdbe6b4428ea01442ad309999995eb358be0d5df6bd5ec8eebe57220e8dfdb2b19f9bd2df290df

Download Submit
memory/780-133-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/780-132-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/780-151-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/780-141-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/780-136-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/780-131-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-41-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-45-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-37-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-30-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-57-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-50-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-140-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-33-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-53-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-55-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download