ce33bd09dd64321ac520a432f2b95c1bdc35943c92f30d740e60f0a4c8ee661d

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 18:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe
Size

547KB
MD5

b89b3e4d1fa60b0f7fc822c79107cb85
SHA1

eaf270b1e31473d6a94b6cbb27d40ac458dd87d5
SHA256

ce33bd09dd64321ac520a432f2b95c1bdc35943c92f30d740e60f0a4c8ee661d
SHA512

7d24fce150f4e504ef31fcb205b37cc605a6051acf982b6ad0e785e067f72854086bdff4b2bb357e617dd6c18ba14966b54b8be773d23a147a40c05d2f41a5c2
SSDEEP

12288:0DxxbW1vytdG3XyzxJo6lx5NP2lM2OrcvcuDk/:ZGe0xJokNedOAFD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2084	tasklist32.exe
2164	tasklist32.exe

Loads dropped DLL 4 IoCs

pid	Process
1796	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe
1796	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe
2084	tasklist32.exe
2084	tasklist32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\tasklist32.exe	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\tasklist32.exe	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1796	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe
2084	tasklist32.exe
2164	tasklist32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2084	1796	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2084	1796	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2084	1796	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2084	1796	b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe	29
PID 2084 wrote to memory of 2164	2084	tasklist32.exe	30
PID 2084 wrote to memory of 2164	2084	tasklist32.exe	30
PID 2084 wrote to memory of 2164	2084	tasklist32.exe	30
PID 2084 wrote to memory of 2164	2084	tasklist32.exe	30

C:\Users\Admin\AppData\Local\Temp\b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b89b3e4d1fa60b0f7fc822c79107cb85_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796
- \??\c:\windows\SysWOW64\tasklist32.exe
  c:\windows\system32\tasklist32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - \??\c:\windows\SysWOW64\tasklist32.exe
    c:\windows\system32\tasklist32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\tasklist32.exe

Filesize
547KB

MD5
b89b3e4d1fa60b0f7fc822c79107cb85

SHA1
eaf270b1e31473d6a94b6cbb27d40ac458dd87d5

SHA256
ce33bd09dd64321ac520a432f2b95c1bdc35943c92f30d740e60f0a4c8ee661d

SHA512
7d24fce150f4e504ef31fcb205b37cc605a6051acf982b6ad0e785e067f72854086bdff4b2bb357e617dd6c18ba14966b54b8be773d23a147a40c05d2f41a5c2

Download Submit
memory/1796-0-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/1796-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1796-15-0x0000000002D20000-0x000000000301C000-memory.dmp

Filesize
3.0MB

Download
memory/1796-32-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2084-13-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2084-14-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2084-21-0x0000000002BC0000-0x0000000002EBC000-memory.dmp

Filesize
3.0MB

Download
memory/2084-30-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2164-24-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2164-23-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2164-29-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download