5c407f0222dd4b19ce5fbb6404d938d908d531bda1429aa34eae85b5783f9438

Analysis

max time kernel
11s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
Size

232KB
MD5

b795f350238fddb6fc48a50add90daff
SHA1

e7a6dd4b4ef3f74ec51c7e2210174b1697e1a893
SHA256

5c407f0222dd4b19ce5fbb6404d938d908d531bda1429aa34eae85b5783f9438
SHA512

7f66310ec564a821dd915d2ce6902953ec5e80c97377193ad196ab49d0e12b9d27e34c7327631704a934ebe4c85503cc46b7fc1403abece504776cf2c4b80ed2
SSDEEP

3072:xGXYXglra/2gmxPmVYT9eSwrweBv3Lp/v4s/lIhB/s+F8lv1DbO38Cb3CB0Pm:gXRJPmVYZeSyXvd/7H+Wp1u3VuK

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pt-PT.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ru.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CORE.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\D3DCompiler_47.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\MSGR3ES.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\REFEDIT.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvr.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSAEXP30.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACWIZRC.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.SqlServerCe.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Selectors.Resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACEDAO.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadcfr.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\CsiSoap.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\Microsoft.Ink.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST32.DLL	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ContactPickerIntl.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b795f350238fddb6fc48a50add90daff_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-0-0x0000000000400000-0x000000000043A988-memory.dmp

Filesize
234KB

Download
memory/2540-1-0x000000000040C000-0x0000000000435000-memory.dmp

Filesize
164KB

Download
memory/2540-2-0x0000000000400000-0x000000000043A988-memory.dmp

Filesize
234KB

Download
memory/2540-3-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2540-5-0x0000000000400000-0x000000000043A988-memory.dmp

Filesize
234KB

Download
memory/2540-4-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2540-6-0x0000000000400000-0x000000000043A988-memory.dmp

Filesize
234KB

Download
memory/2540-7-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2540-8-0x000000000040C000-0x0000000000435000-memory.dmp

Filesize
164KB

Download
memory/2540-9-0x0000000000400000-0x000000000043A988-memory.dmp

Filesize
234KB

Download