454a0f6520b5b880b7edc427ea52b4c47fec946ca4b3b45e31fe07bfcf325736

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe
Size

93KB
MD5

b43583b985e29c0d796863b562d1bc72
SHA1

f161b38273988ca9ac0758d4e98d980ea108ad54
SHA256

454a0f6520b5b880b7edc427ea52b4c47fec946ca4b3b45e31fe07bfcf325736
SHA512

325c7d809c39d93cf68aa7077785869da108385728cec96442be9e86b6b4fecb74bfb5fd48005ba34422501a3707702ce37fb84c4074dd9ca2652652981580c9
SSDEEP

1536:GwiGqmQVoPsvxPl3oYcl/ikt51h9J7HMUF7TGD+0ICJ6I9UmNFnToIf6HTR3K3bS:GwAoPcBATl5CJ68U6tTBfoTR30bsmksi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2076	NB_Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NB_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2464	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2464	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2464	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2464	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2464	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2464	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2464	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2076	2464	cmd.exe	32
PID 2464 wrote to memory of 2076	2464	cmd.exe	32
PID 2464 wrote to memory of 2076	2464	cmd.exe	32
PID 2464 wrote to memory of 2076	2464	cmd.exe	32
PID 2464 wrote to memory of 2076	2464	cmd.exe	32
PID 2464 wrote to memory of 2076	2464	cmd.exe	32
PID 2464 wrote to memory of 2076	2464	cmd.exe	32
PID 1512 wrote to memory of 2008	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	35
PID 1512 wrote to memory of 2008	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	35
PID 1512 wrote to memory of 2008	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	35
PID 1512 wrote to memory of 2008	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	35
PID 1512 wrote to memory of 2008	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	35
PID 1512 wrote to memory of 2008	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	35
PID 1512 wrote to memory of 2008	1512	b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b43583b985e29c0d796863b562d1bc72_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "c:\NB_Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - \??\c:\NB_Server.exe
    c:\NB_Server.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "c:\ds1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ds1.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\NB_Server.exe

Filesize
68KB

MD5
d6de8eaaa073bdecbbb020cbfcaf94c6

SHA1
34263ab745b3db97e95edd388f03b316373f206d

SHA256
80dd8260e1776cf4a1f501f23f2ac4bf7a1587e1ac24c654bb8aab2bd0411edd

SHA512
7cf5c37586a6b9ea7c89571c1eb7f32deac08e9ce13e25069c40ea24deb9a8407786a520c06d4ffaa26c5e23fe2a2bab969431b23060882bf24266788597f008

Download Submit
memory/1512-3-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1512-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download