47807a2009bb7e19a88ee36eafd29f0e73011ff2d136d0ed88d79a3b97f8c152

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 08:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Size

255KB
MD5

b2b30c113c229e0e2b421388f11051b4
SHA1

d35908f433bf6fbee906395455019b3af2416971
SHA256

47807a2009bb7e19a88ee36eafd29f0e73011ff2d136d0ed88d79a3b97f8c152
SHA512

15d96b30f4a94640c65859d7d9728aab175a93e1f5d2d488782312d762a5231e036dff9575f1fecff61cfcffb87f2740d2843a909dcae5a0bbd4b0b6aad60439
SSDEEP

6144:sIQo+g3ENykfjMkLO7u6uYm3wD33DVbN:r532TLWZWS33xb

Score

9^/10

collection discovery

Malware Config

Signatures

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2784-19-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2784-23-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2784-24-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2580-62-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft

Deletes itself 1 IoCs

pid	Process
2172	cmd.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 set thread context of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 set thread context of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 set thread context of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 set thread context of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 set thread context of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
Token: SeDebugPrivilege	2580	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2784	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2248	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2580	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2476	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	33
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 1884	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2164	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2172	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	36
PID 2292 wrote to memory of 2172	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	36
PID 2292 wrote to memory of 2172	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	36
PID 2292 wrote to memory of 2172	2292	b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\b2b30c113c229e0e2b421388f11051b4_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kill.bat

Filesize
267B

MD5
18cc051373dc781771503fcf29b63057

SHA1
4851e1b9cbf7fa67a9c8420b04f3bc551e931e0a

SHA256
d863c9f6632a37a76164a029e2a02ea966ad0ed53ca215ae28d3ff19775bb977

SHA512
0b2a9432281d5f8573f66882169fb7e3dabb00d78330f59f8033b4143e4603412409c1a392a72455f6eb198e1ec3b3ae5754f3d6acd2f4d0a50f4d50373f8c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
memory/1884-112-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1884-106-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2248-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-47-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-46-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-45-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-36-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2248-43-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2292-0-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/2580-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2784-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2784-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download