1692d354339d2fd8ac74418a650130ccf2a4be612d4a0568ada8c9f95b65861b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe
Size

320KB
MD5

a639768675cc6545bafe4f55dbb1b576
SHA1

27079abd0e237d61e8e6753afa1a91da18bf62f1
SHA256

1692d354339d2fd8ac74418a650130ccf2a4be612d4a0568ada8c9f95b65861b
SHA512

c0fdb66ba5eee04e69fc75eb556d397319a04906f60666b3dd2b5b9da57770829a0be4e99da35ef1a9f9495ec53bc20923a0c3ac656259e2b13a60466234724e
SSDEEP

3072:c+SOncDw+AoUBPNBPt4CvLXukOFfrsrRMeTsuZfb:HSOnswPPXPHvLXCTslMewuZz

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2352	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2108	qxdfbv.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	cmd.exe
2352	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxdfbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2400	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2400	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2352	1856	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2352	1856	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2352	1856	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2352	1856	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2108	2352	cmd.exe	32
PID 2352 wrote to memory of 2108	2352	cmd.exe	32
PID 2352 wrote to memory of 2108	2352	cmd.exe	32
PID 2352 wrote to memory of 2108	2352	cmd.exe	32
PID 2352 wrote to memory of 2400	2352	cmd.exe	33
PID 2352 wrote to memory of 2400	2352	cmd.exe	33
PID 2352 wrote to memory of 2400	2352	cmd.exe	33
PID 2352 wrote to memory of 2400	2352	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ebfkomz.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\qxdfbv.exe
    "C:\Users\Admin\AppData\Local\Temp\qxdfbv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebfkomz.bat

Filesize
124B

MD5
4faec14d5be15b5db2598c709b647aa2

SHA1
248b5524de14edeb92f23fe3191eb7124b9bc1df

SHA256
e4a691b4ef92c6ee438849130c13d87407b991c6692505db1782e92c3e246f5b

SHA512
6ca97bb79c1f17497bcd474fa7ef086c09334d1b17a5bc3da968d535dc4e5c921a0ea7949be04e556bfc0e67603f1cc95e4a63dca6e060525ce14379b0596ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxdfbv.exe

Filesize
184KB

MD5
81f9b81b05ddbc1739370e8fe158d4b9

SHA1
c73ae774e2a1f820e8ce100f2d6c514c0b4366d4

SHA256
f50be743adf9aa02e7199af7ad9f47f790166304a591c683b80a27b3b0e92c56

SHA512
5f033152c2b84f3d2b69ada76bb179fa28216c32a611a57bfe86944f41dd5a4fcca05ccdcde70255e542bf3ee4f30127d6faf4d5877619d74522fd1ac961fe41

Download Submit
C:\Users\Admin\AppData\Local\Temp\wufuga.bat

Filesize
170B

MD5
7e4adacb953b727d191f9e11237c4a67

SHA1
1ad6efccda0579a64bbd577769e14833d5b3555a

SHA256
bf3f7cc40c62d3e999ad6ce1a2630c254e948481ec85edce58580ead0fc78b04

SHA512
ee835ab5d579314477a36381c8f0fed44ab6c382f1bec011bc91c062734069b317ad93bd6b2b537a3f53c2d76b3af9467ed544ee00607334e91468e0d7f75f67

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads