452f508c61a5d516dcc7d3c869b7f17c4c3ffc975e27cadd305ccf64e4fa04eb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe
Size

4.6MB
MD5

96b3130b0036fe65b86aeb7c542b0303
SHA1

bc945a0bb4b61c30389ca142257b8999bc19ca4e
SHA256

452f508c61a5d516dcc7d3c869b7f17c4c3ffc975e27cadd305ccf64e4fa04eb
SHA512

cf692aacc92a23e6e9aa6b7233f90496f4ac830222c6ed6546779732aacb5c25ab14ddcfcf1f589e639edbe63c2dfcd098ee3151d2f8f5db2864eca26da5d7d4
SSDEEP

98304:NVY5dj/H0DKMkPuhL+NV71b6Cpg2LwTu8O95z:Pkj8Yu9+jw/O9R

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1960	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe
304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe
304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe
1960	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 1960	304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe	31
PID 304 wrote to memory of 1960	304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe	31
PID 304 wrote to memory of 1960	304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe	31
PID 304 wrote to memory of 1960	304	96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe	31
PID 1960 wrote to memory of 2868	1960	explorer.exe	32
PID 1960 wrote to memory of 2868	1960	explorer.exe	32
PID 1960 wrote to memory of 2868	1960	explorer.exe	32
PID 1960 wrote to memory of 2868	1960	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96b3130b0036fe65b86aeb7c542b0303_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" --ch=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\25637.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25637.bat

Filesize
183B

MD5
b914b8fc7935a8399cade3e8fc2965a5

SHA1
2d407a20c167b933b69ca93208aa7e6a49182d8b

SHA256
005c2a890e14e800b788f0bf6cbbc610fcf4fea1f886dc45f4bef5aefabe25b3

SHA512
7dbbb6ff59c6d9ccfb6191442eb02559659e98b4ec33fb51a2462e53f22da34ee879ff3466221a05498cda4250e25c2761c06ed45c9776e23f5b10de29fa83c5

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
4.6MB

MD5
96b3130b0036fe65b86aeb7c542b0303

SHA1
bc945a0bb4b61c30389ca142257b8999bc19ca4e

SHA256
452f508c61a5d516dcc7d3c869b7f17c4c3ffc975e27cadd305ccf64e4fa04eb

SHA512
cf692aacc92a23e6e9aa6b7233f90496f4ac830222c6ed6546779732aacb5c25ab14ddcfcf1f589e639edbe63c2dfcd098ee3151d2f8f5db2864eca26da5d7d4

Download Submit
memory/304-0-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/304-10-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/304-24-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1960-9-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1960-11-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1960-23-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download