2f6c5ef0b6ffe7df96e43fccd45f5235b8df33b7d8667616eae8e05dd58aa253

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe
Size

148KB
MD5

bd35cbd94389b328f55d9fd231c623bb
SHA1

bd03720d9859ca730991f29e13835858d367f7df
SHA256

2f6c5ef0b6ffe7df96e43fccd45f5235b8df33b7d8667616eae8e05dd58aa253
SHA512

36f05d2b9bc8476bf53a5b16911c14c346056c2b704ea72822c295a77eb0ce1bb68af42ea6047217b467705e5056ccc574963619b6298f6be16c779ee64294cb
SSDEEP

3072:IPQt3aMxzd3o9fUPHC56IXsLkce6p23CskJXljt/wOl2RkdOlaVqII6:IPhaCEHpMGljt/RYkolc

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1864	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	taskkill.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2404	2516	bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe	30
PID 2516 wrote to memory of 2404	2516	bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe	30
PID 2516 wrote to memory of 2404	2516	bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe	30
PID 2516 wrote to memory of 2404	2516	bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2544	2404	cmd.exe	32
PID 2404 wrote to memory of 2544	2404	cmd.exe	32
PID 2404 wrote to memory of 2544	2404	cmd.exe	32
PID 2404 wrote to memory of 2544	2404	cmd.exe	32
PID 2404 wrote to memory of 1764	2404	cmd.exe	33
PID 2404 wrote to memory of 1764	2404	cmd.exe	33
PID 2404 wrote to memory of 1764	2404	cmd.exe	33
PID 2404 wrote to memory of 1764	2404	cmd.exe	33
PID 2404 wrote to memory of 1160	2404	cmd.exe	34
PID 2404 wrote to memory of 1160	2404	cmd.exe	34
PID 2404 wrote to memory of 1160	2404	cmd.exe	34
PID 2404 wrote to memory of 1160	2404	cmd.exe	34
PID 2404 wrote to memory of 2252	2404	cmd.exe	35
PID 2404 wrote to memory of 2252	2404	cmd.exe	35
PID 2404 wrote to memory of 2252	2404	cmd.exe	35
PID 2404 wrote to memory of 2252	2404	cmd.exe	35
PID 2404 wrote to memory of 2308	2404	cmd.exe	36
PID 2404 wrote to memory of 2308	2404	cmd.exe	36
PID 2404 wrote to memory of 2308	2404	cmd.exe	36
PID 2404 wrote to memory of 2308	2404	cmd.exe	36
PID 2404 wrote to memory of 2436	2404	cmd.exe	37
PID 2404 wrote to memory of 2436	2404	cmd.exe	37
PID 2404 wrote to memory of 2436	2404	cmd.exe	37
PID 2404 wrote to memory of 2436	2404	cmd.exe	37
PID 2404 wrote to memory of 2476	2404	cmd.exe	38
PID 2404 wrote to memory of 2476	2404	cmd.exe	38
PID 2404 wrote to memory of 2476	2404	cmd.exe	38
PID 2404 wrote to memory of 2476	2404	cmd.exe	38
PID 2404 wrote to memory of 2216	2404	cmd.exe	39
PID 2404 wrote to memory of 2216	2404	cmd.exe	39
PID 2404 wrote to memory of 2216	2404	cmd.exe	39
PID 2404 wrote to memory of 2216	2404	cmd.exe	39
PID 2404 wrote to memory of 1796	2404	cmd.exe	40
PID 2404 wrote to memory of 1796	2404	cmd.exe	40
PID 2404 wrote to memory of 1796	2404	cmd.exe	40
PID 2404 wrote to memory of 1796	2404	cmd.exe	40
PID 2404 wrote to memory of 1864	2404	cmd.exe	41
PID 2404 wrote to memory of 1864	2404	cmd.exe	41
PID 2404 wrote to memory of 1864	2404	cmd.exe	41
PID 2404 wrote to memory of 1864	2404	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd35cbd94389b328f55d9fd231c623bb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt0310.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\mode.com
    mode con cols=36 lines=5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Windows\SysWOW64\regini.exe
    regini regini.ini
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ii23.cn\www" /v http /t reg_dword /d "0000004" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1160
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ii23.com\www" /v http /t reg_dword /d "0000004" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ii23.com" /v http /t reg_dword /d "0000004" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ii32.com\www" /v http /t reg_dword /d "0000004" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\3mqian.com\www" /v http /t reg_dword /d "0000004" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ii23.cn\count" /v http /t reg_dword /d "0000004" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\regini.exe
    regini regini.ini
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im "ii23▓═╠ⁿ░Θ┬┬╚Ñ╣π╕µ▓╣╢í.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt0310.bat

Filesize
1KB

MD5
2e7ccaf17aba9daae162b619770064b5

SHA1
9630e8838f17fd2ca32cab1e482897ac08bcb284

SHA256
b6fbb488e110b8ee755b215a69d6e7aef31de2f9e1d5d68dc2c6243badfca719

SHA512
ab22c54a3f6be9c8e2f00f62ba68b8fc839b43390eccb534a499e5debf5bb5fee36293c8a454757b56c24ae636674f5f82271d36dbfc9f148b2808b13f2d60a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\regini.ini

Filesize
102B

MD5
155956297d0464026d0a5c98ce4b0c23

SHA1
425b8812a09ac560e8eb7db57df12718c6065020

SHA256
ff5b6821b4fa2da03cd7e96c8b4b758d1461a9232c1bf498f334e154ecb7c9d3

SHA512
d9458182364896ec425a68388617f7a822cc60f05f9c98285945fceb4f6243b0e63725f8c99cb6c0029edc01cbcea735bb2bd62e73796c6c9fb4f9935d064c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\regini.ini

Filesize
102B

MD5
4189c82b3fd09287d12ceb6b8446c11c

SHA1
54e8e315acdb4f2c5b1a69b6b9171c652e9a9eff

SHA256
84c6d252a69c62d7a13e361b07cf2a9d72aad31cba18814774de0da13389aaec

SHA512
7450773f12e245a6f7620dc0cfcbf9e04222ca50e06428075c8610786c6ec4acbb1e93d7b0e5f1fad5aa7823c2cff321c077b5ac0684bb44f8fab31c4cd71bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\╫╘╔▒.bat

Filesize
125B

MD5
e70f6cbac472c9028a5f689e0d2c7eb3

SHA1
3732e16c7243827de861433b5095874927259d2a

SHA256
3b0f158dbd0890b0343b88f9297e1613725496995af5afde299c2c1c987d6e32

SHA512
ae41c84b96522a6a8feccbbf6486f5adadc0810001f794a24c9efec0ce74cd59d90ee3eb10b71698e4cf3b3a2b2697a6349f3643e308c6c7eae499e6b0cc3ba0

Download Submit
memory/2516-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download