38e511f412b6e42852b188d61fa34e451c0b06a7362a9f9f9b5720d25dc044c2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe
Size

32KB
MD5

b7a070b85f0e4cdafcde3a61902f63df
SHA1

8b809fa5e28ac11694fa454745b5954cca5a618b
SHA256

38e511f412b6e42852b188d61fa34e451c0b06a7362a9f9f9b5720d25dc044c2
SHA512

f81961394ce32de2bc747201d9fa35bd3b20a447fff66e22d2e0e13d366770b24a69caff5d5efb25b2d58691d6a4797c3d79dd70451fe31b55f6a9d184f798b2
SSDEEP

768:PeqgM/4bLQtJL9vFlkxjiFHgZBmwC6Zjn5C42M3wJJgp4T:WqBwbLWJLJFKqAZzrZA4kJJi4T

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe
Token: SeBackupPrivilege	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2772	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2772	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2772	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2772	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2772	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2772	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2772	2732	b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2684	2772	cmd.exe	32
PID 2772 wrote to memory of 2684	2772	cmd.exe	32
PID 2772 wrote to memory of 2684	2772	cmd.exe	32
PID 2772 wrote to memory of 2684	2772	cmd.exe	32
PID 2772 wrote to memory of 2684	2772	cmd.exe	32
PID 2772 wrote to memory of 2684	2772	cmd.exe	32
PID 2772 wrote to memory of 2684	2772	cmd.exe	32
PID 2684 wrote to memory of 2608	2684	cmd.exe	34
PID 2684 wrote to memory of 2608	2684	cmd.exe	34
PID 2684 wrote to memory of 2608	2684	cmd.exe	34
PID 2684 wrote to memory of 2608	2684	cmd.exe	34
PID 2684 wrote to memory of 2608	2684	cmd.exe	34
PID 2684 wrote to memory of 2608	2684	cmd.exe	34
PID 2684 wrote to memory of 2608	2684	cmd.exe	34
PID 2608 wrote to memory of 2208	2608	net.exe	35
PID 2608 wrote to memory of 2208	2608	net.exe	35
PID 2608 wrote to memory of 2208	2608	net.exe	35
PID 2608 wrote to memory of 2208	2608	net.exe	35
PID 2608 wrote to memory of 2208	2608	net.exe	35
PID 2608 wrote to memory of 2208	2608	net.exe	35
PID 2608 wrote to memory of 2208	2608	net.exe	35
PID 2684 wrote to memory of 2720	2684	cmd.exe	36
PID 2684 wrote to memory of 2720	2684	cmd.exe	36
PID 2684 wrote to memory of 2720	2684	cmd.exe	36
PID 2684 wrote to memory of 2720	2684	cmd.exe	36
PID 2684 wrote to memory of 2720	2684	cmd.exe	36
PID 2684 wrote to memory of 2720	2684	cmd.exe	36
PID 2684 wrote to memory of 2720	2684	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7a070b85f0e4cdafcde3a61902f63df_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\dt.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K c:\windows\temp\r.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
  - - C:\Windows\SysWOW64\ftp.exe
      ftp -s:c:\windows\temp\f.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dt.bat

Filesize
1KB

MD5
676afdfa824e13b72aecaf6d0d65fa6c

SHA1
f5e918c9fe29a9b432be38b812a6087f4a49bff2

SHA256
896520460c090bcacba8cf6f633abf2e4c6e01c8284737b60b1f51063246e72a

SHA512
4ac34dd1eb77862206dc608c9b57e2956857407b7c5eced45c20b6577e2d53755254fd38300a2b7d02624c37a652ade86add230cd33c452bec380688f414f633

Download Submit
\??\c:\windows\temp\f.txt

Filesize
76B

MD5
e492c90155bb26e6c57c202780f35093

SHA1
83d3d0a8af4fbcd3b70a22611578ef5b5966fcb9

SHA256
ff07e608a348217c1306a1ff202f9b91fddf104b9367c4ee911bccefe04edb94

SHA512
b3265b4f58966441813a0da9032d68e061dcbe6213f82b10f83addafe93627d66637105b443534fac8e074340ff50e07e14437309ad88befc774d2daf5286259

Download Submit
\??\c:\windows\temp\r.bat

Filesize
164B

MD5
f22ad73544c4463a4fe267ed2c646a20

SHA1
9faba5662a5f43fad4df2182fb3c45199cd316c8

SHA256
188e171e17dad12fa1b8067a8b86bc113c0f9df9d9ef03e89006f9c3f7c51c98

SHA512
2c52ceee850adbb90863452815d60596931c485c921ef1a7c3ed8d0de028cbbfc561d62e25beb63410e867da63ebfef6c7cf0f2d1cb75fe13e566731f4df2abd

Download Submit