3bd84fc83c4d523b747ce1ba55ba693585a5c4bea65bfbc7882e14a846cd6b62

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
Size

35KB
MD5

96779ee978b47c22814b818366c8bcad
SHA1

2961d817da277620d446c8ecdd85f5dcee9cb1cf
SHA256

3bd84fc83c4d523b747ce1ba55ba693585a5c4bea65bfbc7882e14a846cd6b62
SHA512

b0ce7b726ac2babfd888cf468f516a5e5a172e15c6e6337b7c4e38492dc9a0f4f0355878b76bef03a3d871e16fa40c80e01569beaa093fd3f732d39d14b75de7
SSDEEP

768:UKgphok5Fvwh62at6oBj8F7mlXPw4AwySaEtVvwIioyPyYebfC:UKMfwM2aX8F78Pw4ASDVIIpyaxfC

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1608	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program files\MSDN\LHL13.sys	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
File created	C:\Program files\MSDN\000000001	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
File opened for modification	C:\Program files\MSDN\000000001	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
File created	C:\Program files\MSDN\hehex.sys	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
Token: SeDebugPrivilege	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
Token: SeDebugPrivilege	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2020	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2020	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2020	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2020	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2020	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2020	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2020	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21
PID 2364 wrote to memory of 1200	2364	96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\96779ee978b47c22814b818366c8bcad_JaffaCakes118.exe"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c time 14:27:00
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\t.bat" "
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSDN\000000001

Filesize
8KB

MD5
1bd1b9099f13228ba032eab9a290b06a

SHA1
af28e0e8197571f73950fe3baad257c22e4d49a8

SHA256
1a13f6063691d519f252a0f5c4d1ce4120b766932f8e28cfc08f461893b36749

SHA512
b4822ad3a7726bc3eb3993067e21a8ce13c3785a63cc10d8bfdb5288f6f23a53eeb9f0c4e55e278996eca3f39841b78af02f4aea635cbffbb67e24df4a6a20eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.bat

Filesize
216B

MD5
290c3e7d03093d992e856d3c36079fb4

SHA1
b50368a93caa78c69967154e8a97822bfd1080af

SHA256
b794c89342f9e21987300ab83191b668b609bf0ffec8adee7e956b788a9a0383

SHA512
a955974e64145d390e8f3c693f6f30834d96d3107a1f6b1059a404327775f428e8b0727822ef2b7f22f241419d14508fd37bd317b672751c82a067e9b9fe4664

Download Submit
memory/1200-44-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-37-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-68-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-65-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-63-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-61-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-59-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-57-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-55-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-53-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-52-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-49-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-47-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-45-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-21-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-41-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-69-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-36-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-39-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-33-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-31-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-29-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-28-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-25-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-23-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-19-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-17-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-15-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-13-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-11-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/1200-9-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download
memory/2364-2-0x00000000008D0000-0x00000000008D5000-memory.dmp

Filesize
20KB

Download
memory/2364-1-0x00000000008D0000-0x00000000008D5000-memory.dmp

Filesize
20KB

Download