811b85301a29c31b3f92fb77b82c1456f35ad16ee89efa4ae8fa696497798dd4

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe
Size

3.8MB
MD5

bd8579804ab11f3439555c075ab1c1f2
SHA1

90a51d9c6fb8eb98889fe2385edf7006982e1d83
SHA256

811b85301a29c31b3f92fb77b82c1456f35ad16ee89efa4ae8fa696497798dd4
SHA512

47664ebeb84e8b996db39a59fef9df0e7b34b6e1b93a5ba779bad75e8c3857fc027f929b57d5c55c6b6010e73d28cbf4b42c612ecef26ca809a6ce317cd675ae
SSDEEP

98304:DV44Y0K1VaUFpt7JkxnJH443KrFGrqP81D:JJY3jhEDKrFGrqkR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	Temp1.exe

Loads dropped DLL 3 IoCs

pid	Process
2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe
2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe
2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SkinH_EL.dll	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MyInformations.ini	Temp1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1692	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe
2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2792	2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2792	2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2792	2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2792	2212	bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe	30
PID 2792 wrote to memory of 1692	2792	Temp1.exe	31
PID 2792 wrote to memory of 1692	2792	Temp1.exe	31
PID 2792 wrote to memory of 1692	2792	Temp1.exe	31
PID 2792 wrote to memory of 1692	2792	Temp1.exe	31

C:\Users\Admin\AppData\Local\Temp\bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd8579804ab11f3439555c075ab1c1f2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp1.exe
  C:\Users\Admin\AppData\Local\Temp1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /t /im ZhuDongFangYu.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MyInformations.ini

Filesize
295B

MD5
dba7f39c10a2b282e5c9c5de0f42c2a7

SHA1
85340e55af8c3d0db03e1324086d63a3e520187e

SHA256
3e0641e5e7a964330cf3642a94305580d249878643aff34ccdb96bb6a6f8c31c

SHA512
ba3c140e6eab6c12c9169962169a9bf62f8fd7b497ccf0558f18cae5ba0b26758c1864e235c2b4c62302c22ada5b08a08cef80dd18533597ab27db9bc5275006

Download Submit
\Users\Admin\AppData\Local\Temp1.exe

Filesize
109KB

MD5
fa7ecdbfc024f2d2f8e7e1aca9fcd5cc

SHA1
c8b00214d9b9293f8be284b11d34979808f12d46

SHA256
0aab7f7667bb300708a58e0d2e03e5602bb58ac0b5bc0a75b6bc849dad1b99a4

SHA512
fcb98385e05fc31efe4ac9ddc3ee9ea4bd1f9f9251ca80fc770eac434e13144c26e25596675f5deb9464474d5ab68b1484689831895d45d1292c0d45889a62f6

Download Submit
\Windows\SysWOW64\SkinH_EL.dll

Filesize
688KB

MD5
bd42ef63fc0f79fdaaeca95d62a96bbb

SHA1
97ca8ccb0e6f7ffeb05dc441b2427feb0b634033

SHA256
573cf4e4dfa8fe51fc8b80b79cd626cb861260d26b6e4f627841e11b4dce2f48

SHA512
431b5487003add16865538de428bf518046ee97ab6423d88f92cda4ff263f971c0cf3827049465b9288a219cc32698fd687939c7c648870dd7d8d6776735c93c

Download Submit
memory/2212-7-0x0000000000220000-0x000000000023D000-memory.dmp

Filesize
116KB

Download
memory/2792-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2792-24-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download