e1fb12c9dfc1bcf77e833a439c5264a332161d9708db19137956ba5499073df0

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
Size

89KB
MD5

af2de28a68236488c99605f2f56001b4
SHA1

557d203fc988106fb84d82ce9f0cad85285a8810
SHA256

e1fb12c9dfc1bcf77e833a439c5264a332161d9708db19137956ba5499073df0
SHA512

adc4c02e6886bb2caf06c8148316b90ff6ccac148661b516c1b6f81034b4bd37f1e0701f47b774cb720d5691cc6d0368da8685757afee5911bf4c931e17c078c
SSDEEP

1536:W3IWn6TcKebNXzTjI0GGFsNhSEO+k+bmNHEc6JgD7HjVeAR2vBC+oGUE:dWLNHfFsDSeKVEcsgnDXR25Ced

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\glok+7858-79d7.sys	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
File created	C:\Windows\glok+serv.config	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
File opened for modification	C:\Windows\glok+serv.config	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2724	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2724	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2724	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2724	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2436	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2436	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2436	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2436	2276	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	31
PID 2724 wrote to memory of 3864	2724	w32tm.exe	34
PID 2724 wrote to memory of 3864	2724	w32tm.exe	34
PID 2724 wrote to memory of 3864	2724	w32tm.exe	34
PID 2724 wrote to memory of 3864	2724	w32tm.exe	34
PID 2436 wrote to memory of 5468	2436	w32tm.exe	35
PID 2436 wrote to memory of 5468	2436	w32tm.exe	35
PID 2436 wrote to memory of 5468	2436	w32tm.exe	35
PID 2436 wrote to memory of 5468	2436	w32tm.exe	35

C:\Users\Admin\AppData\Local\Temp\af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    PID:3864
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /update
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\w32tm.exe
    w32tm /config /update
    3⤵
    PID:5468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\glok+serv.config

Filesize
47KB

MD5
fc2ec4e02620f8ca59d9930015084144

SHA1
25bcab32fc772d5ef275c65850aee1cb7980621f

SHA256
16dac0aff58612c7ca4362cfd71a1096bb9d6a645432b7dd949bb214e8fedaab

SHA512
0f14a023e164840b1a6ee722dc03559cc6ab354ae6107ea244fbb1a668178a9b485e5753da1d258f443462f2b182da74419e921ed486eaf43c142dcb1dca51f1

Download Submit