9c67a125a32462baf35f327be86b064da87d508419519d45cfd6327f92a0c867

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe
Size

128KB
MD5

95cb69c55ba18a20a53d8cdea14692d3
SHA1

65e9b7fb2c00e28e6a6f9486a86183be48c5195a
SHA256

9c67a125a32462baf35f327be86b064da87d508419519d45cfd6327f92a0c867
SHA512

55579a48083fbb8a4bf7c9f8b012390797b0efa7ff4560ba908ab890b279c88bc0374311f5e2b22d65c84a8ed3b7e8f479f2c2e813eb9d3ab213db7be05f28a9
SSDEEP

3072:V5wkhcI9CqZcJkl/1bxb86ey29DAUMMLXvOy9Md9p:V5wiV9Cqh/1bHRUMQgn

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1604	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe
1604	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe
1604	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe
1604	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\s3s4312.dat	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Windows.ime	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1604	95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95cb69c55ba18a20a53d8cdea14692d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\s3s4312.dat

Filesize
180B

MD5
dfedc51f2b4a0cb8fda692527b67adb6

SHA1
3d8a9349d7d305c4208248e87a0fc63df0e34061

SHA256
3dd3945160d7037662e6e61c45f999fd9f9df57397d8267655a241681a486998

SHA512
79c8eb62fba198fe832255ea2c0fa5cae630c0ec045a7f08c9d35567e02627b2ff17c2cc0df971e7582dc28361d4001e275de76faaf89693fcd89d4752a91a5a

Download Submit
\Windows\SysWOW64\Windows.ime

Filesize
72KB

MD5
9e1d826af4fd2394ed6fd27b718a689b

SHA1
074f7fc279eac7edd44138e2668157bc4ad3db03

SHA256
35fb0f8e744dc504df44a493dba18a6d0a5a4b8252c3c5f568c7c025421d7742

SHA512
ccc8e29c45d3142025a16ef6daf1fd1439c0c1d3038977b94c3c6bfbccd763e699f1c3657c7d6a6ed1604ad9fc766c0d5fc3d295e579c55ab1211f4f3b8cc188

Download Submit
memory/1604-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-22-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1604-21-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1604-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download