ff617aa42d285c950b0282c301726302f3916ce76d37d1436058e5462539f361

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
Size

72KB
MD5

b94438b1327fb9c79d35acd2f8b248bb
SHA1

5167019662e631d3f35bc967fdf1d9d08928cc78
SHA256

ff617aa42d285c950b0282c301726302f3916ce76d37d1436058e5462539f361
SHA512

6adebe24e30eaf15336bc5d58a0988baaf536ecf64dacb1983494f7dfb2aaae8fddb965095d66b76dd34eda5841fa8c2e7ff6714cef1c6c0012f15f94334151c
SSDEEP

1536:pgxBd7BUAyxtLDgxNLCntfblILcVAhzp/BYU:swLD89CdbuLw6zp/d

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
968	SVCH0ST.COM

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INJGN0T7XQ.exe	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
File opened for modification	C:\Windows\INJGN0T7XQ.exe	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCH0ST.COM

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
968	SVCH0ST.COM
968	SVCH0ST.COM
968	SVCH0ST.COM

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 968	2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe	29
PID 2164 wrote to memory of 968	2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe	29
PID 2164 wrote to memory of 968	2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe	29
PID 2164 wrote to memory of 968	2164	b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b94438b1327fb9c79d35acd2f8b248bb_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\SVCH0ST.COM
  "C:\SVCH0ST.COM" wb
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SVCH0ST.COM

Filesize
32KB

MD5
3c1489cf535df31ad83c18482ab3908f

SHA1
1d2bf1d469742800c26a0b5575fcd77a2a602dc0

SHA256
7f89be14cc09351750a7cd48914653d845a768dcabc867c740daa00d3dd99f08

SHA512
9927ad6855c1af49fc32d30ab111a2ef3bfa59b3d0cdc13948e1a65e4bb428cd6c6ac49a71676778d1b5f458e78731c1c6cd2d7685d9633566f87ec9db039fee

Download Submit