2e2980c068cae35de582f28cc6a7e3e7cd86d31e4e0679a866ae2938c832d5f7

Analysis

max time kernel
138s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe
Size

4.4MB
MD5

b1d6c0d899ab2e9a5af6ff90313011fb
SHA1

94a85197bb90d8a5de52dc27d06fb19c78f02301
SHA256

2e2980c068cae35de582f28cc6a7e3e7cd86d31e4e0679a866ae2938c832d5f7
SHA512

ac073329551a8201dbe0446e4c7b435497f141304886ee557d15f39c5cb1bd34c495bee3e4f52afa52b9c8d747d22f21859af5cfd45f370c6383bd156a89e499
SSDEEP

98304:OgiSIXfsR41d3H4UDGojK9Z3fdEzD3gCa0:J8sEd3YwaZ2QCv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2444	autorun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2444	autorun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4976	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3432	b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe
2444	autorun.exe
2444	autorun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 2444	3432	b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe	85
PID 3432 wrote to memory of 2444	3432	b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe	85
PID 3432 wrote to memory of 2444	3432	b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\b1d6c0d899ab2e9a5af6ff90313011fb_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Audio\Us Against The World.wma

Filesize
965KB

MD5
439118654a4af065fb83add3d871e896

SHA1
12af98fd03639ddccfc82ec55b53460490ee8dc3

SHA256
62496eecc96b9a08aaa7cef0131773dfe967f44ad6d45927d5e072212f28eacd

SHA512
9448340075cb991b5b9a8aa159d13884130c96de27e1b634d8a6904152fc02a0cd18cf38c3e25223e99c9c0423aeb3d5d4567591f46e6fb2dae1a21ad900de79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\16_1030.btn

Filesize
13KB

MD5
46f709c14151b820bc3046a32c41835e

SHA1
8d76845cd002e772ccea5aacdf9b9e42e6e21e0e

SHA256
a2363642e2a3370e020556bd32de92b1ee83003d2bb94007954e2d07e7d355e8

SHA512
279d4e4c19924d21e64fe9df6af8ce3593e6f3cdfaa6fa08476ffdee4be0d4c38999798f07e6d54f410dff3ec2f7e94bf65edac02182cfd5c098aec39e2a2dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\1_623.btn

Filesize
4KB

MD5
a60250b7ec0e0a1350c652c147c4c709

SHA1
20a33c772800c92561235aeac81188b22aa4c682

SHA256
1c047bb9b3509fefb9c291c927956c2104c18a871ccc9f77830c96134a398a6f

SHA512
e5be9be0fb46754ee40916439f702b5617a22c49211709bbc1839805234229a709e18e3514dae651e4745d89d70386ea7c3d8dd9322f1f917f710a540c61f5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\green_pill.btn

Filesize
29KB

MD5
5e9be93d1367fae735bde5f38967bb33

SHA1
98bf61fe563bc844ab367b00e4d4604c6172f418

SHA256
7ba47387eeb2b8b4c44eb831e5202456a3149099d0177babc96162ec85c9b6ed

SHA512
ba4700d80460649a9350f019df89dff8aaadc2ccc8b3f7358f25ac5d2b1ae53c54d3b71e28e47197e63543ef0232051884762d13b6bb48881f79d1133074f886

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\grey_pill.btn

Filesize
26KB

MD5
fc7e134baad5ca471bfb4e0037cf56e0

SHA1
c5eaff41f2cea927ed955fc6c38f1b577cc6f66f

SHA256
8448f5428b46e6d293339b2dc7d2e47789cc17f6d42d668603857ba901b8cfbc

SHA512
5659f3d399056852081b63c89185e6f8abfc165c2bd9db562eef2dbdd9d5641ff32a3b997bfd69f7b16b9c193aaa2dfd7bf2e71da408871c96e870d34433cfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\red_pill.btn

Filesize
28KB

MD5
afb369861050725b1ea626e47b0f2c77

SHA1
307d24c22c0d4750d94c9042f197da6e66105954

SHA256
5982a4d8831ed4ab670a1949951c7b8704cbe2941c14e7fbb277780ca4e5a4c3

SHA512
98bda85a3153e6fd5b5755613f0add4aac2f106e0e2c7f4bd2f0d1a63dd4375f2039eadfeef97c6135821fcf7fce36adcdc0095e5498d93176accd7abde4daac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\A1L2.exe

Filesize
355KB

MD5
f3130620ad015b35d096216b3c0c6061

SHA1
3a33c563e27558f29515cc48f4e4649ee628717f

SHA256
1015b9c82fb42e666e56e960f3e83e88ae8702fe5cd2fe80eb0bbb75cf0e36d5

SHA512
bc6253b02161171b750f20e04daa8f50e8842180be28907118680954e03d84ff3c88542940f04e5494738638e05e933b02974cb9b23b54ee06d9325faaa50582

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Icons\123.ICO

Filesize
8KB

MD5
fb284df0c98418a286222553429396cd

SHA1
3188695eb7372a64fe641f19b8dcb96b75dd97fa

SHA256
dc2d634d7b6c42d9ce996d8df27e8131b9ddfee0e6cf9cf228b86f114b608a40

SHA512
ca7a220ef172ffac0a1ba9b06a607557146c7a421aaa4a1206bdc64f8c3720c8b11e21cfe1cb7c0c9adeb66c59cca8b5528d068e76d41c0619d5cde091a36d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\298418.jpg

Filesize
131KB

MD5
9a3cbdca85c2f14d75e683613bfccaa7

SHA1
b4db58812a4c0f03310c91bbe8ad97cc00922633

SHA256
b37a392ee75e7fc35fbad6cc7e72e0104f97b03b7dcc4358b5798ea1a6dba1d5

SHA512
732f32491c0e46480c8cade1112520cf2fa00539b5bf4f384a25c2a179b0aa1516555f495e867030b9d232655961563af7363672aee7446a6564cabf49297a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
451KB

MD5
ab321a3d94372443ab7ee83d88cdd4db

SHA1
75f98f5e9af3ec227801a72a8438adc235d6e33a

SHA256
84f0a119597964bb51a082433bddbb2f9f29af8dfc7ef7486b129f2d69082309

SHA512
028beca4eda4699e342a2f06672f24c91014c039f0216dd1fa8964d6dffd3e68834a6a12c7b6b458de6dabd526bc94623b5a160e8f2270d65a0236647913f1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.5MB

MD5
1f9667eaa2f8ca392984f710ce0b3509

SHA1
6e0eaed74d93298472157530e985838b298641c7

SHA256
303e6ac9c8ddffd593680f5ddda4b21248ba30453bfadc1b838618f710be8e4c

SHA512
8d8585fbab6b7ff95d0b37ec171faa759c842bcab47caf1779d0fb9ea8db7450c085fe635efa52a8285a60b8c5064e44750b87e40525b745da06c200592b5ac2

Download Submit
memory/2444-73-0x0000000003930000-0x0000000003940000-memory.dmp

Filesize
64KB

Download
memory/2444-72-0x0000000003930000-0x0000000003940000-memory.dmp

Filesize
64KB

Download