78ae59a2ba226787ff7e8fc0bfc959352c4359de65119f6878f6499e30f6ff9f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
Size

321KB
MD5

bc046a4234955bc74f1cdb12ab1aa79a
SHA1

4ff51fe7db3c1990a11179df21962a03ac8ed646
SHA256

78ae59a2ba226787ff7e8fc0bfc959352c4359de65119f6878f6499e30f6ff9f
SHA512

aab38719c13f1db687f6b40c059bb878d4ddc05c4df6b85f7a0cdfb510c6b991bbdaa3297bfc1dd430e2219d397c9a7ca8ad4f28b3c93c0401c69921d9194127
SSDEEP

6144:AzCpRwZ6WAwEGF7ShI966AGkAjOpoaY7zPYe4VMFxCVFkZv7uyX2kdecIN+/:A+pRwd4GFiq6xGJOpqPP6kYVF+uidetS

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	360tay.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	360tay.exe
3008	360tay.exe

Loads dropped DLL 1 IoCs

pid	Process
2640	360tay.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\360tay.exe	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\360tay.exe	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2640 set thread context of 3008	2640	360tay.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360tay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3028	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
3028	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
3008	360tay.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	31
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 2640 wrote to memory of 3008	2640	360tay.exe	33
PID 3028 wrote to memory of 348	3028	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	34
PID 3028 wrote to memory of 348	3028	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	34
PID 3028 wrote to memory of 348	3028	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	34
PID 3028 wrote to memory of 348	3028	bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bc046a4234955bc74f1cdb12ab1aa79a_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BC046A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:348

C:\Windows\SysWOW64\360tay.exe
C:\Windows\SysWOW64\360tay.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\360tay.exe
  "C:\Windows\SysWOW64\360tay.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\360tay.exe

Filesize
321KB

MD5
bc046a4234955bc74f1cdb12ab1aa79a

SHA1
4ff51fe7db3c1990a11179df21962a03ac8ed646

SHA256
78ae59a2ba226787ff7e8fc0bfc959352c4359de65119f6878f6499e30f6ff9f

SHA512
aab38719c13f1db687f6b40c059bb878d4ddc05c4df6b85f7a0cdfb510c6b991bbdaa3297bfc1dd430e2219d397c9a7ca8ad4f28b3c93c0401c69921d9194127

Download Submit
memory/2640-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2640-58-0x0000000001C00000-0x0000000001C5B000-memory.dmp

Filesize
364KB

Download
memory/2800-15-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2800-18-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2800-25-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2800-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2800-5-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2800-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2800-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2800-24-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2800-23-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2800-22-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2800-21-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2800-20-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2800-19-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2800-9-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/2800-13-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2800-17-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2800-16-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2800-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2800-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2800-14-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x0000000000340000-0x000000000039A000-memory.dmp

Filesize
360KB

Download
memory/2800-11-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2800-10-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2800-2-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2800-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2800-12-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2800-7-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2800-38-0x0000000000340000-0x000000000039A000-memory.dmp

Filesize
360KB

Download
memory/2800-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3008-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-37-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download