dfbf754883a8c25140f3bc40d1669b008cb8c88fb54d6411acca41258c8ed454

Analysis

max time kernel
136s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe
Size

453KB
MD5

aefff5c87cdfa12ef38d299a44b711d1
SHA1

e2e133afdc1b3e8b23151105adf69d03e86ff0de
SHA256

dfbf754883a8c25140f3bc40d1669b008cb8c88fb54d6411acca41258c8ed454
SHA512

8e1fb38fdef78c63aa4c05a9c59d505ab401560696c30effaf56958e027fe9a0a4fecd5a3efd9a20a2f9f1c747ecfd614704a8cbdbb00a26d44471696ccf022e
SSDEEP

12288:pLoHy90iDcqWrqN3Xwb5avzss6rQQ7QTt:cyoqWr+3XqYrv6rQGK

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3988	111.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 3988	4968	aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe	85
PID 4968 wrote to memory of 3988	4968	aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe	85
PID 4968 wrote to memory of 3988	4968	aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aefff5c87cdfa12ef38d299a44b711d1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\111.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\111.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\111.exe

Filesize
288KB

MD5
218cbc42cb460579b7716c6fb4f483de

SHA1
1b94a4e19b347134089a1f677bef426a73e558c3

SHA256
8a5fecb7b2ddee9aa8e4b8054225268224cea56e956650bdc8ba2068f79fe4e0

SHA512
f0f413515dd32d2be5c01ac591d8569d06fba397e8469b70ba37c2e27ab92578152f4e405abb8e3c2e2465f196fd6e92e2624e222b064501be54e2fc51c51334

Download Submit
memory/3988-12-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/3988-11-0x0000000077C12000-0x0000000077C13000-memory.dmp

Filesize
4KB

Download
memory/3988-7-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3988-8-0x00000000020A0000-0x00000000020ED000-memory.dmp

Filesize
308KB

Download
memory/3988-9-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/3988-17-0x00000000020A0000-0x00000000020ED000-memory.dmp

Filesize
308KB

Download
memory/3988-13-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/3988-16-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3988-10-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/3988-14-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/3988-15-0x00000000020A0000-0x00000000020ED000-memory.dmp

Filesize
308KB

Download
memory/4968-1-0x0000000001001000-0x0000000001002000-memory.dmp

Filesize
4KB

Download
memory/4968-0-0x0000000001000000-0x0000000001076000-memory.dmp

Filesize
472KB

Download
memory/4968-18-0x0000000001000000-0x0000000001076000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads