8d02a8dc22fb90f5ae20f9b2147ca14b5f06a5c6ee80a458c5ca066c7087712d

Analysis

max time kernel
136s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
Size

9KB
MD5

bf99bd02663cf41ebca939228361a510
SHA1

decd84f279d896ecb077ed364192c369d1fa70a5
SHA256

8d02a8dc22fb90f5ae20f9b2147ca14b5f06a5c6ee80a458c5ca066c7087712d
SHA512

b8d39137aba1aeb24fc971f2cb21b072ebad38a02fb1dffc6d7709bb21c69d9cf7a7d692af65cb5a8082b93f929abeb075147c4e11fe0bf129355f69411a0e97
SSDEEP

192:sjfO4JtTSaX7T/bOvP2hOXEqMcmCoxN2OyzvoXcnUL5ad:sjxJ11nbKPzycmCoYToXcnUl0

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\midimapjr = "{4F4F0064-71E0-4f0d-0012-708476C7815F}"	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1408	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\midimapjr.tmp	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\midimapjr.tmp	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\midimapjr.dat	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32\ = "C:\\Windows\\SysWow64\\midimapjr.dll"	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32\ThreadingModel = "Apartment"	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
1408	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1408	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2020	1408	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe	89
PID 1408 wrote to memory of 2020	1408	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe	89
PID 1408 wrote to memory of 2020	1408	bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BAC4.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BAC4.tmp.bat

Filesize
207B

MD5
283b7c9132034dbd8a668c231092e34f

SHA1
9c8250c422e1c9b14d6e9282d3efd60070f59642

SHA256
c2fe98aa287ac29483d2c26a100f14885125ec08458ae1a80d1035e0ba1721e1

SHA512
90ddeb34976023fe5f653df6d72c10368819736fefc2f755db0882913fe1493791aae91ac7b612517aea969293eab9f8ff1f4b8bda9db5188bcac6d90b19cc53

Download Submit
C:\Windows\SysWOW64\midimapjr.tmp

Filesize
1.0MB

MD5
6e7e5a11ad4c34755e1045499d096252

SHA1
c3d11007ba39228a275c0819d2a119b2820a5500

SHA256
150cc7b0fab5e74b3af42bcd5b7c81874349ed4230d064d4b87cfe91f4b0bc39

SHA512
351a6616baeb53b20e30e74742c39ed0fbc43b647c814cd8fa604b28ea9a940e9330f3b31bc55d3c9b36e104ad44bc00a546b55c59d3e90cdf533a87196ce4de

Download Submit