Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 12:03

General

  • Target

    b3629a6421128471135973b74c5ac582_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    b3629a6421128471135973b74c5ac582

  • SHA1

    ee5b65425ca732c2520247c2e552b776115363f6

  • SHA256

    6c07c7afffc8833235a0cc8385690627ee172043379f3c7a6b7c3a6cb7508887

  • SHA512

    c3bcf671cdf9ee1ed17a8a985ce10c423d73900e166ada8cfdb41ac279f17d71ee55c21c25fa32f11f86b316b9e823fd7af8b5801158319344fa005ce565627c

  • SSDEEP

    3072:hTB8BulaJemBX3cGUN/UCviuTetSRFGGQZORqWxliI:v66MBUN/vbTLrGTZOLm

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3629a6421128471135973b74c5ac582_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b3629a6421128471135973b74c5ac582_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\SysWOW64\net.exe
      net start BITS
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start BITS
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B3629A~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\config\dmscrip.dll

    Filesize

    112KB

    MD5

    476b4f944519106461b2b7d563d080f0

    SHA1

    f037e32a73df5567d601ef0d6c497637aceb1627

    SHA256

    c400c50671d7fc01c405e5eadddc8c210d5f23f4397baf6a3270f7351dba9a35

    SHA512

    0606578ce00d331377a5e90fb41f67a8eacb621f2290dc5f3904c0864802c930fc7bde08a97fd02087fedb6c7b7c783e5c67a6424016276910d870f365d3b53f