5db9214efa2575c255b42108d15c37d0848bda656d190b9c84fd4acb8b7a92f2

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe
Size

743KB
MD5

b72b26d0de63a9c2071d34b9fb49cde2
SHA1

b390b5e9170f1ffc025d648da179c23fe26b6984
SHA256

5db9214efa2575c255b42108d15c37d0848bda656d190b9c84fd4acb8b7a92f2
SHA512

99a99b1cda35fa0a65d432c5de08714b7e6f9d4ca42e76cfe05d68bf7ed7fca99e4187c5e2f73c154cdbfbff5988aa260a24f3b5584c51dd5dbfc94e46dc84d7
SSDEEP

12288:VRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GPJvZbIkS7QQ52LYRg08yPwDR9Z:f8MU4ufxdW5A2mJr/kNJvNIkSX3Y

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	zxqsos.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zxqsos.exe	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe
File created	C:\Windows\61642520.BAT	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe
File created	C:\Windows\zxqsos.exe	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxqsos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe
Token: SeDebugPrivilege	2748	zxqsos.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	zxqsos.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3012	2748	zxqsos.exe	31
PID 2748 wrote to memory of 3012	2748	zxqsos.exe	31
PID 2748 wrote to memory of 3012	2748	zxqsos.exe	31
PID 2748 wrote to memory of 3012	2748	zxqsos.exe	31
PID 2272 wrote to memory of 2840	2272	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2840	2272	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2840	2272	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2840	2272	b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b72b26d0de63a9c2071d34b9fb49cde2_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\61642520.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2840

C:\Windows\zxqsos.exe
C:\Windows\zxqsos.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\61642520.BAT

Filesize
218B

MD5
53d7a0276e0c70828ce0bb3144c358e1

SHA1
58c15999f2c94677af9001d21c4894410c1ae85c

SHA256
2da6ed4bde7cae35acb37aed8dfad77043e5c191952ac5b3ed81ebb03df313f9

SHA512
2a863a3a5f4ca12cc913b7a3bb37bf2e6463b07c8f217c287e541811a81cbd186c8af823d9b265cee4c7796fde384772150b15ced8b4e49e0b9a974cc2fa6769

Download Submit
C:\Windows\zxqsos.exe

Filesize
743KB

MD5
b72b26d0de63a9c2071d34b9fb49cde2

SHA1
b390b5e9170f1ffc025d648da179c23fe26b6984

SHA256
5db9214efa2575c255b42108d15c37d0848bda656d190b9c84fd4acb8b7a92f2

SHA512
99a99b1cda35fa0a65d432c5de08714b7e6f9d4ca42e76cfe05d68bf7ed7fca99e4187c5e2f73c154cdbfbff5988aa260a24f3b5584c51dd5dbfc94e46dc84d7

Download Submit
memory/2272-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2272-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2748-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2748-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2748-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2748-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2748-21-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download