629b6904b9daf80a63e8dc11d5536c38ee6a50aa507a8b9b644f4e2657849a23

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe
Size

416KB
MD5

ac65a2e95f74a8e753497f1aac3958d4
SHA1

70135d5c98d37f959197f4b9fc5c6a765568e46b
SHA256

629b6904b9daf80a63e8dc11d5536c38ee6a50aa507a8b9b644f4e2657849a23
SHA512

882d12b0e032697780f02cde790025b3902328992415f6abd9814589187f0b49524d3ad3c460b3ea0a33c6f0417106407ed84baa21dda5bd5baafcd4abbd87c5
SSDEEP

12288:qVAKT1mpPxnqP06Qa3y6QvXHN2mWm7SB4mk/JahrQ:gAo1d0A39QPN2mWgSB3bS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1064	L_Serverl.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DELME.BAT	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe
File created	C:\Windows\L_Serverl.exe	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe
File opened for modification	C:\Windows\L_Serverl.exe	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L_Serverl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe
Token: SeDebugPrivilege	1064	L_Serverl.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1064	L_Serverl.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 948	1120	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe	89
PID 1120 wrote to memory of 948	1120	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe	89
PID 1120 wrote to memory of 948	1120	ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe	89
PID 1064 wrote to memory of 384	1064	L_Serverl.exe	88
PID 1064 wrote to memory of 384	1064	L_Serverl.exe	88

C:\Users\Admin\AppData\Local\Temp\ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac65a2e95f74a8e753497f1aac3958d4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\DELME.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:948

C:\Windows\L_Serverl.exe
C:\Windows\L_Serverl.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DELME.BAT

Filesize
218B

MD5
1b04256de3a336ffbb53290bfc3c387b

SHA1
e2f1949850d671088922536d4c7f72e5f9336bfd

SHA256
f9bc03776787ac17cd31e06da33ededecf8d6a7f6b141debf42314a314fb9a4a

SHA512
a9effa84d422b12681ab7346880774d8be0cff01e4995fb4758b3b44e1573f1143e92fc99d3cc716400dccc8510f535b65d3bc36742686c2766773e773794363

Download Submit
C:\Windows\L_Serverl.exe

Filesize
416KB

MD5
ac65a2e95f74a8e753497f1aac3958d4

SHA1
70135d5c98d37f959197f4b9fc5c6a765568e46b

SHA256
629b6904b9daf80a63e8dc11d5536c38ee6a50aa507a8b9b644f4e2657849a23

SHA512
882d12b0e032697780f02cde790025b3902328992415f6abd9814589187f0b49524d3ad3c460b3ea0a33c6f0417106407ed84baa21dda5bd5baafcd4abbd87c5

Download Submit
memory/1064-7-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1064-13-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1120-0-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1120-2-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1120-1-0x00000000004CA000-0x00000000004CD000-memory.dmp

Filesize
12KB

Download
memory/1120-11-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download