d78a3a8487ba2d2edd69261a9c3f7f240cc80280e80037ed0cdb464244d7fdfb

Analysis

max time kernel
140s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
Size

48KB
MD5

94b34b7231308938091277a347d65ec5
SHA1

00c6057646e4cf049c16346745e9dd91b3945267
SHA256

d78a3a8487ba2d2edd69261a9c3f7f240cc80280e80037ed0cdb464244d7fdfb
SHA512

9ad2d86dc0ae44858002364314af0c15a581d891383dedbdb2f74265146ad206c4ae286d02f7877f2416e20fdcd6886cb2a30ffd24f45bd84c643ddbc738de4e
SSDEEP

768:/9lIR05Et09xadDN0qsbKaocSyQCk4zsHG:/9lh5V5uDCXYHG

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4548	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4216	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4380	4216	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	91
PID 4216 wrote to memory of 4380	4216	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	91
PID 4216 wrote to memory of 4380	4216	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	91
PID 4380 wrote to memory of 2864	4380	cmd.exe	93
PID 4380 wrote to memory of 2864	4380	cmd.exe	93
PID 4380 wrote to memory of 2864	4380	cmd.exe	93
PID 2864 wrote to memory of 5068	2864	net.exe	94
PID 2864 wrote to memory of 5068	2864	net.exe	94
PID 2864 wrote to memory of 5068	2864	net.exe	94
PID 4380 wrote to memory of 3408	4380	cmd.exe	95
PID 4380 wrote to memory of 3408	4380	cmd.exe	95
PID 4380 wrote to memory of 3408	4380	cmd.exe	95
PID 3408 wrote to memory of 60	3408	net.exe	96
PID 3408 wrote to memory of 60	3408	net.exe	96
PID 3408 wrote to memory of 60	3408	net.exe	96
PID 4380 wrote to memory of 5116	4380	cmd.exe	97
PID 4380 wrote to memory of 5116	4380	cmd.exe	97
PID 4380 wrote to memory of 5116	4380	cmd.exe	97
PID 5116 wrote to memory of 4500	5116	net.exe	98
PID 5116 wrote to memory of 4500	5116	net.exe	98
PID 5116 wrote to memory of 4500	5116	net.exe	98
PID 4380 wrote to memory of 4548	4380	cmd.exe	99
PID 4380 wrote to memory of 4548	4380	cmd.exe	99
PID 4380 wrote to memory of 4548	4380	cmd.exe	99
PID 4380 wrote to memory of 4256	4380	cmd.exe	100
PID 4380 wrote to memory of 4256	4380	cmd.exe	100
PID 4380 wrote to memory of 4256	4380	cmd.exe	100
PID 4380 wrote to memory of 4116	4380	cmd.exe	101
PID 4380 wrote to memory of 4116	4380	cmd.exe	101
PID 4380 wrote to memory of 4116	4380	cmd.exe	101
PID 4380 wrote to memory of 2792	4380	cmd.exe	102
PID 4380 wrote to memory of 2792	4380	cmd.exe	102
PID 4380 wrote to memory of 2792	4380	cmd.exe	102
PID 4216 wrote to memory of 3172	4216	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	107
PID 4216 wrote to memory of 3172	4216	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	107
PID 4216 wrote to memory of 3172	4216	94b34b7231308938091277a347d65ec5_JaffaCakes118.exe	107
PID 3172 wrote to memory of 1596	3172	cmd.exe	109
PID 3172 wrote to memory of 1596	3172	cmd.exe	109
PID 3172 wrote to memory of 1596	3172	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94b34b7231308938091277a347d65ec5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sseg.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\net.exe
    net stop "central de seguranτa"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "central de seguranτa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:60
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:4500
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start = disabled
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 0x00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocx.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\regsvr32.exe
    Regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\MSINET.OCX
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCPU4OJ5\ki[1].htm

Filesize
795B

MD5
5d8d79c3cb9af023240b1be6f5057aaa

SHA1
df22980677b134e83d878893f7c7984e0d78a240

SHA256
e8b101a7c7f64aad528cc734513cbeb02243c0af37930dc0f3239749cff184b6

SHA512
66f432b622cee0bcc06cbc0f833de1471ea36c295b4cd93eb848d97e69c2252acd2fc8972db51ea35475a424f4d6cb5001325525fb04f71b8704eb24de1c4008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\1[1].htm

Filesize
8KB

MD5
73e349893791986dcaa2d00900e6c443

SHA1
1ef841cc0895227f22999157a058e54471888dc5

SHA256
a0454849d2ee1369f82c44e820f3980475930a6f1941fc33f099665b63a6b1d2

SHA512
a20a7ff3f18743583aa8b2f15409b63ce7223096263ebcac82f61d68591f92ffc582a7d03c3e14f31c64555d1ebfb80872cae7de92191d4c6ffc750aad8d5747

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSINET.OCX

Filesize
49KB

MD5
0d076d1dfb811f069a205464633364d9

SHA1
631821b3886311ea9d2f57976f1e423df922d6c5

SHA256
79c150df7f0a5e3d2492816e514cda1a4eba65a224dee50f04f319fb0ec09889

SHA512
841744fcfad6d95968f09900edc96165b71ccc3a6aaf143432f888b849f1014191ff90a40f6a43129d27978dad73fba0ef10bcdb61c6083e823f0c267df65df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocx.bat

Filesize
79B

MD5
8024b884c962eb4d4173937815862d4a

SHA1
705948046cf10f04d969ba2ebaac0d9ec5890ff4

SHA256
dd7a4118ad940887b5ff318001e1841b994c9c1f83571708b49a9b1290fb9d9f

SHA512
11b3b313c35785ec437b47e422a3ce23ca602f727d784b4f804b9ea876b08eebf97b9dfe6fd4f5540e109e6b082466e8678884f3d886b279e4269bcd9a8ddaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\sseg.bat

Filesize
598B

MD5
b632bdffd9eea8a8bdef34fe54422ee2

SHA1
7221ff2239f23b2d25d54202fcfa4e38bdd4203b

SHA256
34f2d00d5de8476b29f033031933967391afd0a882f95bf751614066d870b601

SHA512
4ef975151aad95ee03136eb6be819ad8115350e9e328b13c0fcb774f4e8584b840859ad98a418d34be86ce79965a8e4529cb55a696b37dd007c9c3b6a423ec82

Download Submit