72be8645c12cff0c6f00e3772194ae4d920a65ef5f1a3036b700c59301c9f7d3

Analysis

max time kernel
136s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe
Size

46KB
MD5

bb48ecef31f79f2762b6b9ff79c5fe53
SHA1

b5be2e11b0a61c81b0e23baaf0b7465762550b6f
SHA256

72be8645c12cff0c6f00e3772194ae4d920a65ef5f1a3036b700c59301c9f7d3
SHA512

daf291cbd82fa8e5c3e8c0d99c3baa1647ee0c613b798f72cef78e88ee7a423ae1954a232fb3f690c0ac2aae7bf2a27d6930afc3a05a4a8e4715702face68acf
SSDEEP

768:750cdyWxE05BeZmblz7Ngi9CioEgjYGtYBVZXcVymYaNdcpsWXV:FCWxvfKO7iQCqGqBVZXc1VNOvV

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\D4495A5B\ImagePath = "C:\\Windows\\system32\\D4495A5B.EXE -D4495A5B"	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3856	D4495A5B.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\D4495A5B.EXE	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\D4495A5B.EXE	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\D4495A5B.EXE	D4495A5B.EXE
File created	C:\Windows\SysWOW64\D4495A5B.DLL	D4495A5B.EXE
File created	C:\Windows\SysWOW64\delme.bat	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D4495A5B.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3828	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe
3828	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe
3856	D4495A5B.EXE
3856	D4495A5B.EXE
3856	D4495A5B.EXE
3856	D4495A5B.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 2832	3828	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe	85
PID 3828 wrote to memory of 2832	3828	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe	85
PID 3828 wrote to memory of 2832	3828	bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb48ecef31f79f2762b6b9ff79c5fe53_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\delme.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832

C:\Windows\SysWOW64\D4495A5B.EXE
C:\Windows\SysWOW64\D4495A5B.EXE -D4495A5B
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\D4495A5B.EXE

Filesize
46KB

MD5
bb48ecef31f79f2762b6b9ff79c5fe53

SHA1
b5be2e11b0a61c81b0e23baaf0b7465762550b6f

SHA256
72be8645c12cff0c6f00e3772194ae4d920a65ef5f1a3036b700c59301c9f7d3

SHA512
daf291cbd82fa8e5c3e8c0d99c3baa1647ee0c613b798f72cef78e88ee7a423ae1954a232fb3f690c0ac2aae7bf2a27d6930afc3a05a4a8e4715702face68acf

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
c18d7ff37c26e660b31018ea81cbf724

SHA1
3dbdfe1217423bccb350842cf5ce6c7e3edba9bc

SHA256
29663e5da6caead9edc541b21a4d63456bf43e33b32bb18709fddfa1d4d325c2

SHA512
454e25aeb892e6f425a3b201b4d0238edacd709375e1095b485dd220810c26ef05df806841d0c43fbfc57a174fa823da133834cd54dc6d7ab3f033ce2b1707f1

Download Submit
memory/3828-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3828-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3828-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3856-5-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/3856-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download