9aa8f3ca265f825140107b16f26a5fb486bd3f96ed20166d1bca385274b78a09

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe
Size

316KB
MD5

b986a3f9f147f2e6cafa35b6769975af
SHA1

88168e51ae183240b685bbd681e47e9f4ef1a735
SHA256

9aa8f3ca265f825140107b16f26a5fb486bd3f96ed20166d1bca385274b78a09
SHA512

7f5e9049286d41ab302166175314072ddc0709c24f40eedb56a870e8c79881fa8b904a1dfce2da6931dfc03fd030653d1487c185680cd44c52dd91de4a47b9ce
SSDEEP

3072:IEOuf0M1u2ZoBS6bDvr3UrmBp0wOC2BLCAH+wTx5GUTsuZfY:vOuf0Tj7cy0wOC4LCAHMUwuZg

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
296	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	dfircb.exe

Loads dropped DLL 2 IoCs

pid	Process
296	cmd.exe
296	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfircb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2256	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2256	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 296	300	b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe	31
PID 300 wrote to memory of 296	300	b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe	31
PID 300 wrote to memory of 296	300	b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe	31
PID 300 wrote to memory of 296	300	b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe	31
PID 296 wrote to memory of 2652	296	cmd.exe	33
PID 296 wrote to memory of 2652	296	cmd.exe	33
PID 296 wrote to memory of 2652	296	cmd.exe	33
PID 296 wrote to memory of 2652	296	cmd.exe	33
PID 296 wrote to memory of 2256	296	cmd.exe	34
PID 296 wrote to memory of 2256	296	cmd.exe	34
PID 296 wrote to memory of 2256	296	cmd.exe	34
PID 296 wrote to memory of 2256	296	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b986a3f9f147f2e6cafa35b6769975af_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\hlrqvbd.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\AppData\Local\Temp\dfircb.exe
    "C:\Users\Admin\AppData\Local\Temp\dfircb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfircb.exe

Filesize
180KB

MD5
b657954eef03f451820b42f063c700eb

SHA1
63d1334973482b4ed7170d9102d3d19d56b6d4d9

SHA256
7cd950d8ed401a874a682ea4091a2dc3bb915fe74d672af2ad7fef048ff85364

SHA512
e48451fb386a2b08d9f707ede30f6d97cba1e810688c9394a9705a2742c8a674681e0aacda21deadb44215b8fecab23b4a1b61add71c543e62668e977c63cbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlrqvbd.bat

Filesize
124B

MD5
0c97bf008db49a10fd42a80c5ff2d83a

SHA1
a052949e09008a738ebcb829ebab1c20c50c7364

SHA256
a78069dc1b4653cb11097d8cfe4999bde33e19be2f09da842ab53f93f1a18131

SHA512
202624c562bc84d333f848ffa7321ca5cf17f4fe26f48c647c012094860e4c372f2fb424d238ee9dfae67790e58e75d7caf726133762de8fe922b36d1d9f267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msmajo.bat

Filesize
170B

MD5
3e790254db9ff20b525aa8d3f40ab4a6

SHA1
9daafc2f8053a782e523e8ef281d7210055d76cf

SHA256
e500a29a66f086063a0b60c7e970aac4d14ee7a1c19759f4f5c20ce138e133fd

SHA512
361586e84c9e07c532da23525e3f8ad4b30ddbef9b1722c09f445fdba17573c3b8ee6b06e0d9e053ddf96315b801da657effec5757e1754accb392b89da3f857

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads