f3603cf72623943a82d830d3e63f9edf0392e062e25a1f65bbcece0739452bcf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe
Size

429KB
MD5

a3300bd250c3f457c47304d494a7740b
SHA1

cd4d72ac32eceda4815f730f71fdb418e7fd561e
SHA256

f3603cf72623943a82d830d3e63f9edf0392e062e25a1f65bbcece0739452bcf
SHA512

6e4d20084ea206a89fdea1493f2b4cfa7271ee7220f2d70ba0dd86775d332e51c3878d2c10c4be4c3b95f94029a47fff66eb72a0a02f40398d58188bb1e040b8
SSDEEP

6144:aKELo7qp0yN90QE64Utj67SIQE5aHyD74veL4mKF4XXx46PWtYjUW5b:mLofy908OeIQqaHywvfmK8XjPWtuUg

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2080	shoot1.exe
2340	CryptedFile.exe
2280	shoot1.exe
2752	CryptedFile.exe

Loads dropped DLL 4 IoCs

pid	Process
1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe
2340	CryptedFile.exe
1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe
2752	CryptedFile.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptedFile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptedFile.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2340	CryptedFile.exe
2340	CryptedFile.exe
2752	CryptedFile.exe
2752	CryptedFile.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2080	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2080	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2080	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2080	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2080	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2080	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2080	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2340	2080	shoot1.exe	32
PID 2080 wrote to memory of 2340	2080	shoot1.exe	32
PID 2080 wrote to memory of 2340	2080	shoot1.exe	32
PID 2080 wrote to memory of 2340	2080	shoot1.exe	32
PID 2080 wrote to memory of 2340	2080	shoot1.exe	32
PID 2080 wrote to memory of 2340	2080	shoot1.exe	32
PID 2080 wrote to memory of 2340	2080	shoot1.exe	32
PID 1600 wrote to memory of 2280	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	33
PID 1600 wrote to memory of 2280	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	33
PID 1600 wrote to memory of 2280	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	33
PID 1600 wrote to memory of 2280	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	33
PID 1600 wrote to memory of 2280	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	33
PID 1600 wrote to memory of 2280	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	33
PID 1600 wrote to memory of 2280	1600	a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe	33
PID 2280 wrote to memory of 2752	2280	shoot1.exe	34
PID 2280 wrote to memory of 2752	2280	shoot1.exe	34
PID 2280 wrote to memory of 2752	2280	shoot1.exe	34
PID 2280 wrote to memory of 2752	2280	shoot1.exe	34
PID 2280 wrote to memory of 2752	2280	shoot1.exe	34
PID 2280 wrote to memory of 2752	2280	shoot1.exe	34
PID 2280 wrote to memory of 2752	2280	shoot1.exe	34
PID 2340 wrote to memory of 1240	2340	CryptedFile.exe	21
PID 2340 wrote to memory of 1240	2340	CryptedFile.exe	21
PID 2340 wrote to memory of 1240	2340	CryptedFile.exe	21
PID 2340 wrote to memory of 1240	2340	CryptedFile.exe	21
PID 2752 wrote to memory of 1240	2752	CryptedFile.exe	21
PID 2752 wrote to memory of 1240	2752	CryptedFile.exe	21
PID 2752 wrote to memory of 1240	2752	CryptedFile.exe	21
PID 2752 wrote to memory of 1240	2752	CryptedFile.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a3300bd250c3f457c47304d494a7740b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\shoot1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\shoot1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
      "C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2340
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\shoot1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\shoot1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
      "C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe

Filesize
200KB

MD5
bda4386a939dc9ae1029ea71f28a4710

SHA1
c6edd243d797d3b60884c81de26c257ca66b9540

SHA256
23212f49629822a4e4a899d2ca17d4c04f25265316fa48748cf25fbe47685e31

SHA512
216ef48f6b1659e8bc08006f71d97ac4e71dfb441de641509eb432bd2ae6cbf5a4d3ef9cf12baaf842f31cfb737b4b44fedb2e6321a9921ad795e4c7af850330

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\shoot1.exe

Filesize
388KB

MD5
c6f433f5f1ba243b7d453ad5052abdff

SHA1
e346aa8e03c068073f7f4951a908a872ff09d1d0

SHA256
3ee4777d9936206a53d7d9272ce46fd9b393d0e622ecbeb3723f6dde0700d15d

SHA512
3fb2dc1ba627bfac17569ea5eaea6a20d7bbeb02fae6ea85d3778b4f3af8cebb09b71b8285248a2673219caf1e6db7806b4449ab6531633b391c761ec5ae1cb4

Download Submit
memory/1240-30-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1240-27-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2080-9-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-10-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-8-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-21-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-7-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-6-0x000007FEF633E000-0x000007FEF633F000-memory.dmp

Filesize
4KB

Download
memory/2340-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2340-39-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2752-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2752-52-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download