4be74fefac92ecf5ea2e62db8ff92209da8f64c1381e8780fc1a82fe62c0d72f

Analysis

max time kernel
136s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
Size

140KB
MD5

b9627218d06ef7e68162be7c0fca4c2a
SHA1

42e558fdb6df018dc308aecf373b1f0320e59cff
SHA256

4be74fefac92ecf5ea2e62db8ff92209da8f64c1381e8780fc1a82fe62c0d72f
SHA512

716ace9ef248ab32337c82a5dc796205488973840369074b70ce574f168153c89564827d99833979520cb06db78a6c259edf528e8194ad19e15c231c409b22ae
SSDEEP

3072:TWH1DzbtwcmpMAdis9MZKpENA1PshTludI:U1DnYyAdqAOQd

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Enhance High Quality System Color.job	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
File created	C:\Windows\Tasks\Enhance High Quality System Color.job	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\LastTask = "1"	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1828	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
2600	b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2600	3008	taskeng.exe	32
PID 3008 wrote to memory of 2600	3008	taskeng.exe	32
PID 3008 wrote to memory of 2600	3008	taskeng.exe	32
PID 3008 wrote to memory of 2600	3008	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\system32\taskeng.exe
taskeng.exe {B9713512-6B81-4A36-BA6F-368888F81E3E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b9627218d06ef7e68162be7c0fca4c2a_JaffaCakes118.exe
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\Enhance High Quality System Color.job

Filesize
324B

MD5
0a57a01d8fbb8bda0ff876b0a4f1c276

SHA1
acc8fc31048e73b231a15ccaefcce3c675d917f3

SHA256
15c07ed2bf14f06980ebcc200cf3744ae8d8c6eca4cbe775acd7a4a874e2d3b5

SHA512
cc58dc39d26825560ad57a2ab4b9161860e680dd44966327d97f38090d3a11d6bd1bd3830d0db8c9556ed6353cb9961cf55dfc37b1c6622f4691eba1c20a5e22

Download Submit