c467cbbe51a76a36ac89b87fff41440256c62b73cc5c5842be24f5978e78ac87

Analysis

max time kernel
142s
max time network
136s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe
Size

270KB
MD5

9fc99fab5e471b99924b3f37085e2f62
SHA1

aa04bc2996b0fae2d68c2265f98e65fc5de31d19
SHA256

c467cbbe51a76a36ac89b87fff41440256c62b73cc5c5842be24f5978e78ac87
SHA512

6e518172db0dca670e6f0539d09cd34d80384390195e9b20506f47054d545a4804dfb8b2ba27077da8abc8a0861f2da0ff87c3c7ba00b81f3b03b06e20ffe1db
SSDEEP

3072:cBWXxiLmBQZVPo73d3V4p/RzDXgnU/C3lXMXyJI1OjzIZ3WvnsOLGaujZCDKuqjm:TWXPY3/Qv/rZUHUiOjZQ5qjPE5Stece

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
328	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PRogram Files\server.exe	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe
File opened for modification	C:\PRogram Files\server.exe	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\65137367.BAT	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe
Token: SeDebugPrivilege	328	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
328	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2264	2688	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2264	2688	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2264	2688	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2264	2688	9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe	33
PID 328 wrote to memory of 2696	328	server.exe	32
PID 328 wrote to memory of 2696	328	server.exe	32
PID 328 wrote to memory of 2696	328	server.exe	32
PID 328 wrote to memory of 2696	328	server.exe	32

C:\Users\Admin\AppData\Local\Temp\9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9fc99fab5e471b99924b3f37085e2f62_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\65137367.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2264

C:\PRogram Files\server.exe
"C:\PRogram Files\server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:328
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\server.exe

Filesize
270KB

MD5
9fc99fab5e471b99924b3f37085e2f62

SHA1
aa04bc2996b0fae2d68c2265f98e65fc5de31d19

SHA256
c467cbbe51a76a36ac89b87fff41440256c62b73cc5c5842be24f5978e78ac87

SHA512
6e518172db0dca670e6f0539d09cd34d80384390195e9b20506f47054d545a4804dfb8b2ba27077da8abc8a0861f2da0ff87c3c7ba00b81f3b03b06e20ffe1db

Download Submit
C:\Windows\65137367.BAT

Filesize
218B

MD5
e22fe8f340ec2fff5ee04aac84f14d0e

SHA1
998b96e6f2b166913ba4103f010c616085f72e4b

SHA256
04cca6805bdd5976371592870e7124b176d2ed477e26dddd1c3730e3fce5c309

SHA512
cbccfc445330bb89d3573616772a2698ab396f2b4dc54ed90d19451dad6658ac8b8e4af06ae490f59f86d60a150eed6ceca75e613d907e18ffc1f93632506e27

Download Submit
memory/328-5-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/328-17-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/328-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2688-0-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2688-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2688-15-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download