Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
21-08-2024 04:04
General
-
Target
b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe
-
Size
72KB
-
MD5
b2095f390fb0ead7da09fb99ab445217
-
SHA1
d75f71239793ae14daa569b4513f123a72fc8abf
-
SHA256
a90ac1cae52f3777a1ef48c691298efaf7a3ab55e8e6c07817815f2cb77d7d8d
-
SHA512
7b9f729a27da7da75f9bb3d33ca1dc856fcf86199c9551fb95f1a6ad31adc2240e7f6d285ef260c8da68c4ce8966d04b8fcd59ee463507966e8fda0fd599a351
-
SSDEEP
1536:MgIdZxAz/Z41Wq02reJj3OCA025rn8hhWpgPPOgCZxk5v:wLxAzBiWqRr+3OCAfT8hwph
Malware Config
Signatures
-
Modifies security service 2 TTPs 20 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 20 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 22 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Runs .reg file with regedit 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 464 "C:\Users\Admin\AppData\Local\Temp\b2095f390fb0ead7da09fb99ab445217_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 512 "C:\Windows\SysWOW64\qtime32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 516 "C:\Windows\SysWOW64\qtime32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 520 "C:\Windows\SysWOW64\qtime32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 524 "C:\Windows\SysWOW64\qtime32.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 528 "C:\Windows\SysWOW64\qtime32.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 532 "C:\Windows\SysWOW64\qtime32.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 536 "C:\Windows\SysWOW64\qtime32.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 540 "C:\Windows\SysWOW64\qtime32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\qtime32.exeC:\Windows\system32\qtime32.exe 548 "C:\Windows\SysWOW64\qtime32.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
815B
MD5fadf3805f68986d2ee9c82f560a564e4
SHA187bcab6ab1fb66ace98eb1d36e54eb9c11628aa6
SHA256d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759
SHA512e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9
-
Filesize
1KB
MD5614dc91c25423b19711b270e1e5a49ad
SHA1f66496dcf9047ae934bdc4a65f697be55980b169
SHA256cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e
SHA51227a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7
-
Filesize
1KB
MD53bd23392c6fcc866c4561388c1dc72ac
SHA1c4b1462473f1d97fed434014532ea344b8fc05c1
SHA256696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43
SHA51215b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1
-
Filesize
2KB
MD5f8a9a1aa9bab7821d25ae628e6d04f68
SHA1c3e7a9ccc9805ae94aabfd16e2cb461fde3fae5a
SHA25676ee7c489d11427af94d0334368ef2ed44df4a74984ffd4022c9ea9fae9c41fb
SHA5120fb3a29367fa3c3eb36c6a7e9ff217ccdd7cce18309964aa7068a00f500ea4ea49588344ebbc52ae77d83e5042c3fdb84f56fa1dae07b8bb774aed6fffd18c0a
-
Filesize
3KB
MD5d085cde42c14e8ee2a5e8870d08aee42
SHA1c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b
-
Filesize
942B
MD54cee92ad10b11dbf325a40c64ff7d745
SHA1b395313d0e979fede2261f8cc558fcebfefcae33
SHA256eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1
SHA5123f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9
-
Filesize
3KB
MD5831afd728dd974045c0654510071d405
SHA19484f4ee8e9eef0956553a59cfbcbe99a8822026
SHA25603223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2
SHA512ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9
-
Filesize
3KB
MD51daa413d1a8cd1692f2e4ae22b54c74a
SHA12e02e2a23cfaa62f301e29a117e291ff93cc5d31
SHA25610732e2612780d9694faf0bb9b27cdc6f3376ad327da7dfc346e9e5579493d33
SHA512b947c70c7c4af971e3fbdc66fb7175b6624ac68c6a723dac7ecb5cf5f43bbe210fa0fa61fd4b6153dccf7de077d003ca03f061e209dc37773546b038e6aef277
-
Filesize
1KB
MD53637baf389a0d79b412adb2a7f1b7d09
SHA1f4b011a72f59cf98a325f12b7e40ddd0548ccc16
SHA256835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba
SHA512ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506
-
Filesize
1KB
MD5908860a865f8ed2e14085e35256578dd
SHA17ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9
-
Filesize
2KB
MD561ec72543aaac5c7b336d2b22f919c07
SHA15bddb1f73b24c2113e9bf8268640f75fb0f3bd8d
SHA256088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea
SHA512e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62
-
Filesize
1KB
MD55b77620cb52220f4a82e3551ee0a53a6
SHA107d122b8e70ec5887bad4ef8f4d6209df18912d0
SHA25693ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579
SHA5129dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c
-
Filesize
1KB
MD58a84d46ef81c793a90a80bc806cffdcf
SHA102fac9db9330040ffc613a325686ddca2678a7c5
SHA256201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374
-
Filesize
1KB
MD5a920eceddece6cf7f3487fd8e919af34
SHA1a6dee2d31d4cbd1b18f5d3bc971521411a699889
SHA256ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6
SHA512a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc
-
Filesize
3KB
MD58d6eb64e58d3f14686110fcaf1363269
SHA1d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA5125022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7
-
Filesize
72KB
MD5b2095f390fb0ead7da09fb99ab445217
SHA1d75f71239793ae14daa569b4513f123a72fc8abf
SHA256a90ac1cae52f3777a1ef48c691298efaf7a3ab55e8e6c07817815f2cb77d7d8d
SHA5127b9f729a27da7da75f9bb3d33ca1dc856fcf86199c9551fb95f1a6ad31adc2240e7f6d285ef260c8da68c4ce8966d04b8fcd59ee463507966e8fda0fd599a351
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB