f2c596b2327609ddf8faefcadfc5b5aba0968a648c1bbfb420344c5361d64f6b

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
Size

15KB
MD5

b03323beac9d9f5e1bea9df445ec3aa7
SHA1

9cad6930b8d04a71255828fbf0223d20e6068fa2
SHA256

f2c596b2327609ddf8faefcadfc5b5aba0968a648c1bbfb420344c5361d64f6b
SHA512

bcd9fb55f6601dcf38017ffb9b40362071d47143989d7f63a65a4efc20f04a91be5dcdb5f9692a297d6ec3eaf050841a1d5964abfde95d4a6f72f56e33b42e3b
SSDEEP

384:mTW/W75+GOuMmmV768YVkG+/+vJxmHd/RVdrP:xN0t9+/3RTD

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\45CFC2D2\ImagePath = "C:\\Windows\\system32\\45CFC2D2.EXE -k"	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1052	45CFC2D2.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\45CFC2D2.DLL	45CFC2D2.EXE
File created	C:\Windows\SysWOW64\delme.bat	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\45CFC2D2.EXE	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\45CFC2D2.EXE	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\45CFC2D2.EXE	45CFC2D2.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45CFC2D2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4280	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
4280	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
1052	45CFC2D2.EXE
1052	45CFC2D2.EXE
1052	45CFC2D2.EXE
1052	45CFC2D2.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 516	4280	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe	87
PID 4280 wrote to memory of 516	4280	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe	87
PID 4280 wrote to memory of 516	4280	b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b03323beac9d9f5e1bea9df445ec3aa7_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:516

C:\Windows\SysWOW64\45CFC2D2.EXE
C:\Windows\SysWOW64\45CFC2D2.EXE -k
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\45CFC2D2.EXE

Filesize
15KB

MD5
b03323beac9d9f5e1bea9df445ec3aa7

SHA1
9cad6930b8d04a71255828fbf0223d20e6068fa2

SHA256
f2c596b2327609ddf8faefcadfc5b5aba0968a648c1bbfb420344c5361d64f6b

SHA512
bcd9fb55f6601dcf38017ffb9b40362071d47143989d7f63a65a4efc20f04a91be5dcdb5f9692a297d6ec3eaf050841a1d5964abfde95d4a6f72f56e33b42e3b

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
805f091908cbc6bf1cf47a059dca7bd8

SHA1
fbdf88ec4eb4b016f86f9804dc93e67d8b0cba86

SHA256
982abac4f20de3cd18fb68c6d194b0e68569cec1a0318ae6595c8532150bf7de

SHA512
8d0d7ca654c83933b06bdde9f7a54757b3b4a2992b4e2318981d1b9aa0b5ae8f3a010aabbe895290f6b350101151d85b98c2f6e6704c571400727741d95a39b7

Download Submit
memory/1052-5-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1052-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4280-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4280-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4280-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download