9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
Size

232KB
MD5

b821af91801eb778f6ca1bdc67df042b
SHA1

3dd3ad700423bc0857df311ead7606b18857c5b4
SHA256

9f2400c583bf895751a988e1daa383932a0508273e27e76db89759c6ad0d3626
SHA512

b16b686502b3d32116c086563d6efcd1818a65d0a6b4ca8e95dceb6edcea99ed21ffdc46a31d2494c65016e2fbfb7819361f5f4c71462a8f0df346da08bb1d8f
SSDEEP

6144:7VdHl5i0Mm6aQc6UeI77KVgS/wnjhHFpG4b3y:7VdR16TBUJKVgk4jhGmy

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2788	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2788	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2788	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2788	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2740	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2740	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2740	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2740	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2604	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	33
PID 2208 wrote to memory of 2604	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	33
PID 2208 wrote to memory of 2604	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	33
PID 2208 wrote to memory of 2604	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	33
PID 2208 wrote to memory of 2924	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2924	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2924	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2924	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	35
PID 2208 wrote to memory of 2052	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	36
PID 2208 wrote to memory of 2052	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	36
PID 2208 wrote to memory of 2052	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	36
PID 2208 wrote to memory of 2052	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	36
PID 2208 wrote to memory of 2304	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	37
PID 2208 wrote to memory of 2304	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	37
PID 2208 wrote to memory of 2304	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	37
PID 2208 wrote to memory of 2304	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	37
PID 2208 wrote to memory of 1540	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	38
PID 2208 wrote to memory of 1540	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	38
PID 2208 wrote to memory of 1540	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	38
PID 2208 wrote to memory of 1540	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	38
PID 2208 wrote to memory of 1976	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	39
PID 2208 wrote to memory of 1976	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	39
PID 2208 wrote to memory of 1976	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	39
PID 2208 wrote to memory of 1976	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	39
PID 2208 wrote to memory of 1928	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1928	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1928	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	40
PID 2208 wrote to memory of 1928	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	40
PID 2208 wrote to memory of 992	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	42
PID 2208 wrote to memory of 992	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	42
PID 2208 wrote to memory of 992	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	42
PID 2208 wrote to memory of 992	2208	b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe	42

C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b821af91801eb778f6ca1bdc67df042b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\5F6844C9\cfg\1.ini

Filesize
10KB

MD5
5ecd0a1c0993a62ff81ec1b2e25906f2

SHA1
2f16403b0e33ab0e95b118e1055e62021273e62d

SHA256
512bce7a3c222e34851ec2065ec8e3f1334ed70538a27457dc6504c6994e3df9

SHA512
1b2eb0d86fb8530d7e7aac25c799f09a9205dbd1a2936500ef99771bd69c9f94414bc83bfbf0d74ab0e1d987ad859c2515180cfc034d9ccc85d4a1878aa995c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F6844C9\Setup.exe

Filesize
15KB

MD5
39e03e22e2c5cb67a7a750805de9435a

SHA1
50a3ff79f3815f58c8f2bb918fe156037a892387

SHA256
7d471a8df92de59217c60f1d1b2882fb04eadb44cf2dd313bba3c7e4d39678b4

SHA512
c7944d56f70190b3e6417f8923c844308d4840954afd613320c497170d87aa1300dc65472926c8691a242aa7fafbbdb3f2357ec178b340789f92245bb00dfff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F6844C9\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat

Filesize
44B

MD5
7723c6bf4aa0a9356f10005131caec8d

SHA1
77db6f03684dd6597eb46bacb2eeb628944a6d8f

SHA256
3c34984b0121ae61a1c15099a12c0c51481ab73e2a961557d18b2efbb38184d4

SHA512
d9cba46feeb3006561d3c13c4783c66520cf1fe986e8b55887d4512174e7f60048992ee9fc573c13b2be6c66047fc4919c92691bdb5234e44d8c59f1463ab8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6ADE.vbs

Filesize
819B

MD5
0e4d3992166b5937274fa92e6e0ef99c

SHA1
32804f9362e8f842d81724b464a2d11db543c1e9

SHA256
1a7c7c703f79ae617f9b200a6059df21b353b8f4699e4659e388a1d0df31091f

SHA512
ae0909b8c2e84010b71e84c01b188dec647dfdf6ef1ded0eee3ea8f9c06b7835ad14273bc3ee1daf77c54f4d1558aa4ba264f7da2734564ff3cdfcf7aa5944c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6FB9.vbs

Filesize
1KB

MD5
af9abe0d6b919ea101942e5ce024c8d6

SHA1
56c98c3b53ff743acd3101116ea3136c66f87a2c

SHA256
27a4532cc40474fa8e89311e345ae0510523ba344f122510fd25e954dca96265

SHA512
bfac6b0b7ab22b64dced599a50cde16d2213bc24cda29f6cb5919c8576e319744ea5e07f4820f687183059e86111718619cb35bbd8a01fcf44664021ad075119

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin79A0.bat

Filesize
46B

MD5
ad2bbe71cf6ad0243143e5d841e84835

SHA1
78e290cb94731766dad12a884fdd2b9254b37d34

SHA256
c1b7f5a9a6878bfbbfa0d861c3dcca1b0261f186abbe509c4726892f6c861651

SHA512
d7d4864c2cb8e0e5212a7403855c96ef57e0757f8e3e50c6ffbfccd1ec0184b50d211ba1a8fdf9f89f47b688533b492de59dfa1fc8f0cb213c3efa995a59fdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin96A8.vbs

Filesize
2KB

MD5
bd30de51d91b16ffd45c85cae60f49f4

SHA1
cf07463a231eff49166ae513b54257722013ee3d

SHA256
d1f521b4f1a3d35ca0bc9f3f1fe2a092814441378e00567ed3afafd3d4515e19

SHA512
e260d3d66363fda29527fba68f292cf9f1bd45aa47999e6ebc31d4205ac321d1a91b50f818ec466362b0d2e4cd54285a0266c9e4db58793cc8667280fd11d79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinACB9.bat

Filesize
50B

MD5
afd1e5b8031e29eb3c94b2edb7a5485d

SHA1
08fdb21a99a0f91cb008144ec249b5eb1cd525f6

SHA256
01a28a52cc854e70830fc9c0c6914e133ecf54932b611fb1b9a4c5f756cdce9b

SHA512
3b795d2f94a222b5479d085268832ce7486746420430641d5ee092d5bb78c88b28870c5028e223ca89397ab5968c611e77e6e3c10405dce242281abf3cd45c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinB432.vbs

Filesize
419B

MD5
13d4e9b077cca14db5ca9c464c590e12

SHA1
36b9392dd6481afa14647d2ccdad184afd461889

SHA256
b1ab833022975434c5c6ce4b2fde6390a229ff0f22d32ebc7006245df70a0a5a

SHA512
d043bcb71923adee4095977d795934ec6680d46b86aa00b1396a5d9983895dbd76e3f94a0ee3e3b91b12577a3657cb3226ba6c73c3cbd38b23ac5c50411f94f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinBC06.vbs

Filesize
304B

MD5
feeea64efee045be89023f8437397a0c

SHA1
6daa57e31f740bc75db53118b2d23d9ca176a878

SHA256
f06dfc8ebf5453fccafb5cb3fbb291e52dea372c5b39c75f1c2684bd9bae8ef4

SHA512
6deee8db105dd112ae104897d23b8bfc32a24704e2510b1a9ff4eaf0fe00a64597f7ba9ca0eeaae72fc97718004ecec81ab56c39452d52f966c190b784d1f3d8

Download Submit
\Users\Admin\AppData\Local\Temp\5F6844C9\_Setup.dll

Filesize
146KB

MD5
a3f3a3b608f9a6d604730cb689dc23c6

SHA1
67dbeb74940250916e0592e596aa492c09694f74

SHA256
4020fabec983278cb2f9b1eaa17cd9466bbdbd0842a35182e34ecd302ae9d342

SHA512
beb0ad1f1b2530366dbc366a642d27965d7e851055086d7c302612eae88d19a501d46c66737c8ee4d0d0c2915d9768cd4d2f1b8e5347bcc3480facdb73484c84

Download Submit
\Users\Admin\AppData\Local\Temp\5F6844C9\_Setupx.dll

Filesize
16KB

MD5
f17dce858db6f84c1c149f8aebb1ce58

SHA1
e54f8c536dd66610d0678a3532c4f8834b01abe6

SHA256
f32c9be19334ec4a212d173f43e3a97e08434000ff7cef8584afbf72e05ba845

SHA512
c08f9efb7a3514c7829d7c9bd0ef384bbe038e695021a089b354eab6e9c13408fab31a01f502013c27c1a50e2e223ad3c33f4ed7424498b4077091c0044b7ce7

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu-08A0.dll

Filesize
245KB

MD5
8c7a58965b71c9dfbf1a14d3369a2620

SHA1
26380249b9bdf1ab864b1c8fa4d01e4c28ba9b5c

SHA256
f94e3692cf74256ef5f9df081592603e5b3aac4490ce39cf88363c5f24fa5aa7

SHA512
97302e9a0f53fb7239c92049d61d65be2958de3d674cdc25fb2ac10424814930e982278d6d6e8df2e270116a5a1b7d1cfea14250aea99191f3efd571357c7023

Download Submit