f41ad7d84dff054319cca61c55542c294e639cd6d5b741c27cc65b9a3081d944

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
Size

3.8MB
MD5

b775837d344825866b6f29d922dc3a15
SHA1

63d01a0ac959a6735d5a74c50995422c3a0e4fc6
SHA256

f41ad7d84dff054319cca61c55542c294e639cd6d5b741c27cc65b9a3081d944
SHA512

23885cbbae130df1e2f3f74273d5538dff51b445b27d37a13b753db89ba20b09179ec65b4d2397eb3e3372061ebc7301879ccb1392ead0142fa1ee9dcb8ea5ef
SSDEEP

98304:qZ3Hhzj5dIuPtAG2ttscncnb+T1/Pk2lqzncxcDb3n3Qio:aHF56mWRts8M+T1Xk2lqzScD7ngZ

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 14 IoCs

pid	Process
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4528	taskkill.exe
740	taskkill.exe
4412	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 5048	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	87
PID 3476 wrote to memory of 5048	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	87
PID 3476 wrote to memory of 5048	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	87
PID 5048 wrote to memory of 4528	5048	cmd.exe	89
PID 5048 wrote to memory of 4528	5048	cmd.exe	89
PID 5048 wrote to memory of 4528	5048	cmd.exe	89
PID 3476 wrote to memory of 4948	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	91
PID 3476 wrote to memory of 4948	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	91
PID 3476 wrote to memory of 4948	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	91
PID 4948 wrote to memory of 740	4948	cmd.exe	93
PID 4948 wrote to memory of 740	4948	cmd.exe	93
PID 4948 wrote to memory of 740	4948	cmd.exe	93
PID 3476 wrote to memory of 3160	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	94
PID 3476 wrote to memory of 3160	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	94
PID 3476 wrote to memory of 3160	3476	b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe	94
PID 3160 wrote to memory of 4412	3160	cmd.exe	96
PID 3160 wrote to memory of 4412	3160	cmd.exe	96
PID 3160 wrote to memory of 4412	3160	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b775837d344825866b6f29d922dc3a15_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Funshion.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FSPServer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionService.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshBE8F.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE8F.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE8F.tmp\InstallOptions.dll

Filesize
12KB

MD5
1d5c649dde35003a618b9679d5d71b92

SHA1
0409bbab3ab34f8c01289cdd847b4d1a32d05b18

SHA256
0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f

SHA512
b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE8F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE8F.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE8F.tmp\WelcomePage.ini

Filesize
139B

MD5
4c08a79cc39d19b0b8ee426bd50c55d2

SHA1
978512c2c52b87ed553c9ece152f008bc37572d2

SHA256
4f45507c73b8d588fd131be9d23e61b52dc64056712e7fb11bfff5cf699b02fc

SHA512
9e1d3e7f2040ad6b1162e637a99998c1185fd9569144b47bea1f467fd34149f013bb63e72f1aaa355c9af3367dd530f3dfe5117f7ec0ee6b5e3a657ad9db10a2

Download Submit