ed7dff76700389fd26829032175285b3cc61e9aefe1a79f5710c6bdc8685eabd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe
Size

446KB
MD5

b42360f024ac2e717c7fc2449dce1be0
SHA1

bddd42bf2b912f9d402fc38788cdece7cfa6b647
SHA256

ed7dff76700389fd26829032175285b3cc61e9aefe1a79f5710c6bdc8685eabd
SHA512

da21f12630581ec86d3f758c2fef4070fc640a9499e68da096f73c14d8fd4b7070b538e21ec7c40deb3a0dd003d7043d8e529e391127f61c094791737aa0e4fa
SSDEEP

6144:iyH7xOc6H5c6HcT66vlmgHIetsKVLyJS70mXEe2SAscLcbsMuJMvmcXEcZ5iIyuG:iatIasG+o0eY7YGAZ5lJxYFV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2272	svchost.exe
3292	b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe
2468	svchost.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2272	1624	b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe	84
PID 1624 wrote to memory of 2272	1624	b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe	84
PID 1624 wrote to memory of 2272	1624	b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe	84
PID 2272 wrote to memory of 3292	2272	svchost.exe	85
PID 2272 wrote to memory of 3292	2272	svchost.exe	85
PID 2272 wrote to memory of 3292	2272	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3292

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b42360f024ac2e717c7fc2449dce1be0_JaffaCakes118.exe

Filesize
411KB

MD5
2dfcb2393528446aeb9fb861a8fc39ab

SHA1
6289061a6bf4047097cd0a2fff7b3aaf470d834f

SHA256
b5ab4a80fb81904f5655c1365e1bbacc490d7e179fe3361177111df35d225827

SHA512
0adbad97faa21dc7dcb403508ceef48e62647af169c2813001dadbba80dfd4e896c45bcdbc8bc006e431c3badcedd6ea243b244a7e0bb2c88311951aef15bb36

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
0ede982dd41527ae83699bf8f9e40932

SHA1
0391f24b2ca11e1f139593c2b4c1b2d18daae629

SHA256
cbe5279950f34507b9f91e61642e9dfa03ff2fb567dabb6b2303d79cce3d2b44

SHA512
4dd7f9ceed29b6d7d12396bee37381215caa39615954a1ea8f9b9262dd4fdfd3f20ff86928146242092d94e1f6466a9b2800623f3d4aee35e03e86215c7656f1

Download Submit
memory/1624-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2272-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2468-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2468-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2468-18-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2468-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2468-23-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download