30b9cc770a39f929ea24114608833aa8714d5b8b23a1924db4834873c89b75a4

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 04:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe
Size

162KB
MD5

b220e597866cc30d0dfdc6e00118b73d
SHA1

629cdb2e0d7c953e000626da5c95da3d6dee36ee
SHA256

30b9cc770a39f929ea24114608833aa8714d5b8b23a1924db4834873c89b75a4
SHA512

848687b1618521e916e6740919fb20e75e972427b6905799a0d441e16e8e29b6b55aa1aa73f522025d946650b8e5b6d78141ace7f797a35c38bc68703800ab17
SSDEEP

3072:O/7UTpCV3eN1mEbdnkdfYTz8oDp3DAeU:O/7GNbmEByYTz/hDA

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2556	2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2556	2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2556	2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2556	2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2556	2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2556	2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2556	2712	b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b220e597866cc30d0dfdc6e00118b73d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Bqb..bat" > nul 2> nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bqb..bat

Filesize
238B

MD5
2284678f1b266487c62d8739fd63cb46

SHA1
f4830b283f6dbb7539555697ce8a210cdc381b8c

SHA256
5a19dc8c116e31d991005199c8ba9b327763b32014a6c02704139910f4d9b2e2

SHA512
13b89c22475fae7867aba0bc5d90ebe1f6bb9ea6e24a174e50885343e94ff31fa1efd3a2f73238b9bfb7abe72535993b34277b71fd8cc508e0085bfeab24048f

Download Submit
memory/2712-0-0x0000000001D90000-0x0000000001DA4000-memory.dmp

Filesize
80KB

Download
memory/2712-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2712-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download