ac8f52671bfb89fe4eaddeb7dffb471205d4dfc88ee3b64efb349027959382e7

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
Size

2.5MB
MD5

bd79defe4e98b1daa53e815456b0fcfb
SHA1

b90fc77d5d171181487f7ea8a0aa88d0a0702d92
SHA256

ac8f52671bfb89fe4eaddeb7dffb471205d4dfc88ee3b64efb349027959382e7
SHA512

854161c715633ad6b37f2e20673dc8695fc671fba4348a62c11b38ecf5fe7207876ea1430fc6d9722fd6125321c8efd02b5ecd5d06d7da93a046f199bc955ab2
SSDEEP

1536:rWW9hZZ+PVGdm9Rb7HDlcDw/sH3lVQ3poAr/kNkFlZBFTcJa:rLpYN4m9LcDw+qqAr/kNAluJa

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	Explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	Explorer.exe
2752	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
2688	Explorer.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ekdndbtkyo\Path.rcd	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Dtjqmk Doskkpav\Explorer.exe	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Dtjqmk Doskkpav\Explorer.exe	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Ekdndbtkyo\17696	Explorer.exe
File opened for modification	C:\Program Files (x86)\Ekdndbtkyo\19251	Explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe
2688	Explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2688	2372	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2688	2372	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2688	2372	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2688	2372	bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2752	2688	Explorer.exe	32
PID 2688 wrote to memory of 2752	2688	Explorer.exe	32
PID 2688 wrote to memory of 2752	2688	Explorer.exe	32
PID 2688 wrote to memory of 2752	2688	Explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Dtjqmk Doskkpav\Explorer.exe
  .
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Program Files (x86)\Dtjqmk Doskkpav\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ekdndbtkyo\17696

Filesize
10KB

MD5
69c97278ab9e590932fef729f038b151

SHA1
076048304500a16cc37dbd8e3d4c42fbc3364ba3

SHA256
89287807eae136d2f00851331e45598287993adfccff325e9251f7107fb93ac6

SHA512
8d822d479fa2dff6f77153f3d4ae0efd65e44c0ef768b074d49549e685adcae8ca75c58dab5d4b45558fa65f9a21cd302b73fba12cc7ee5c1db1f71a382c7906

Download Submit
C:\Program Files (x86)\Ekdndbtkyo\Path.rcd

Filesize
260B

MD5
1e2b8dbe12dd2ffa8619fe195a8fb629

SHA1
ee44098ec9203129381876786355d6436b54a2d7

SHA256
edd0202904aa592425636fe529a845edc43bdbc7e7e374952164a69d0416e3f6

SHA512
ff7cb4b44941a993c1684448ff08c1bd118cbda09ce67cae9a5d4a1d92221a8382c56dba94f1070856242de33fb1edb531933c11ac7dbbe33e207d770c58107a

Download Submit
\Program Files (x86)\Dtjqmk Doskkpav\Explorer.exe

Filesize
6.3MB

MD5
a7c5fa91e4da9e5acb99e99698426d63

SHA1
52ece00b96e727fa84771b2a25ee97a1f91f64e4

SHA256
523ae3f6a850d758f8c21f21bdab973663b9d496f43cd83565b5f5bc62c4fab0

SHA512
e39ad9edfa00bc7fb8db681e8be78db4964f8ba908c8a64d22d1fa07fe2940414322f0afdc94343fce4c31ff8c264c7c25d24b8c282d31e4a2f15aa8d84f3ca3

Download Submit