148c1716b9308099e75d824a04bec51e20b3c7bb3428fac1f119927cc5fc49e2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe
Size

549KB
MD5

b4925ce13fc149461ed338556582ef40
SHA1

5a2c8fcc39a0e7efbcb2ec635cd85507d315581b
SHA256

148c1716b9308099e75d824a04bec51e20b3c7bb3428fac1f119927cc5fc49e2
SHA512

8c67ec5928ad9f9760488d81ad5ed143b3185e51578636a11aa1a413100b15e23dae5dc067ced3f72c4bd968a69ad84aee1b9700a1210b1b26688f2857566d0b
SSDEEP

12288:TbdJigLGKLPe/HWuj2OH1c2obY7gvKOB2yLvjk:nvigLJPyHWuq6ocQKOB2Uvjk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1196	conime.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\conime.exe	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe
File created	C:\Windows\conime.exe	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conime.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conime.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conime.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conime.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conime.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conime.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe
Token: SeDebugPrivilege	1196	conime.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1196	conime.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3760	1196	conime.exe	88
PID 1196 wrote to memory of 3760	1196	conime.exe	88
PID 3776 wrote to memory of 5044	3776	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe	90
PID 3776 wrote to memory of 5044	3776	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe	90
PID 3776 wrote to memory of 5044	3776	b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4925ce13fc149461ed338556582ef40_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5044

C:\Windows\conime.exe
C:\Windows\conime.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\conime.exe

Filesize
549KB

MD5
b4925ce13fc149461ed338556582ef40

SHA1
5a2c8fcc39a0e7efbcb2ec635cd85507d315581b

SHA256
148c1716b9308099e75d824a04bec51e20b3c7bb3428fac1f119927cc5fc49e2

SHA512
8c67ec5928ad9f9760488d81ad5ed143b3185e51578636a11aa1a413100b15e23dae5dc067ced3f72c4bd968a69ad84aee1b9700a1210b1b26688f2857566d0b

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
5dc14f352215789338206fc88562e155

SHA1
0bbae106d0f59c58939932caf5092872aee8a651

SHA256
45363e2f584a061cb76390b2a81d3948a4157d598a2f3be19e488921d7a7c547

SHA512
dd4e87070e08c03e9b7803ad8e823cd15cbfe959f7260d43358018fa0ebb1d09a3a8d429b2b2d3c4a6b1b35c69cda0ea5ddf886818d34fc801e86ee59d6a3205

Download Submit
memory/1196-54-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1196-50-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1196-44-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3776-34-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-30-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-10-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/3776-6-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3776-5-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3776-4-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3776-12-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-13-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-3-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3776-17-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-15-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-16-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-39-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-38-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-37-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-36-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-35-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3776-33-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-32-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-31-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-9-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3776-29-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-28-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-27-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-26-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-25-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-24-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-23-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-22-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-21-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-20-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-19-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-18-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-14-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/3776-11-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/3776-7-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3776-47-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3776-48-0x0000000002180000-0x00000000021D0000-memory.dmp

Filesize
320KB

Download
memory/3776-8-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3776-2-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3776-1-0x0000000002180000-0x00000000021D0000-memory.dmp

Filesize
320KB

Download