9171fc1eb8ac3490372322c1a37ef5ebc3653d0d3d67102bb2ee304246df58eb

Analysis

max time kernel
136s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe
Size

81KB
MD5

b9b6ce9623c340eef0dd20408c06f045
SHA1

ac8aa7d49db4c3765d5671fcaf445c1ebf0235ef
SHA256

9171fc1eb8ac3490372322c1a37ef5ebc3653d0d3d67102bb2ee304246df58eb
SHA512

fd941d1ae96fcd7ea4399c59c485256cfbafdc2ad678ce5d372842d3d16cfaf1d90dbefc27a72087c59f618c9a4d0e7ad9ae62e0a1a99849dc06b21e8f60b0c0
SSDEEP

1536:A5neEhlcTW5sk1Ptf2XbWINndIcN6Jes5gb1b8NE9DYjDMTDk:mnj9PtfUKINndIc0JX5o1b8HnF

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1812	D.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1812	D.exe
1812	D.exe
1812	D.exe
1812	D.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 1812	4400	b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe	84
PID 4400 wrote to memory of 1812	4400	b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe	84
PID 4400 wrote to memory of 1812	4400	b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe	84
PID 1812 wrote to memory of 3520	1812	D.exe	56
PID 1812 wrote to memory of 3520	1812	D.exe	56
PID 1812 wrote to memory of 3520	1812	D.exe	56
PID 1812 wrote to memory of 3520	1812	D.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b9b6ce9623c340eef0dd20408c06f045_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D.exe

Filesize
31KB

MD5
cf6a7c6f411cdeea507a2e9b4648a920

SHA1
3366864505acdd92c80e3daafbca75e75b88fa15

SHA256
9bbdad6e73a603b06fc7b3e55ca2918a53c39959394ccfaa52aaca810938ebe3

SHA512
dd8b6f14ad1698db27af16511661f35750bf22af1959935bc4228aaa5e96b7338719f71f52e406a081d57249218b7797e5b8baf656b6a354f5460af38aea1044

Download Submit
memory/1812-5-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1812-7-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1812-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1812-12-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3520-8-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3520-9-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4400-0-0x0000000001001000-0x0000000001002000-memory.dmp

Filesize
4KB

Download