d1fc9b340ae1f469127b847400f34da6ecdff2841df99cd6b16a777b0bf38081

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
Size

2.6MB
MD5

bdd28de1e044c97c3cc701d3218b152b
SHA1

5b1ee704ef3e360454bfa2a0b2fbdedeedcf252c
SHA256

d1fc9b340ae1f469127b847400f34da6ecdff2841df99cd6b16a777b0bf38081
SHA512

9a4a4dcc26b2432c7f18ad05a1a1c225db99c573af3e27e67136f68be86141a13ed9d65b2746c688ca0ead0c019cce43f79b7c144e844425dd48ca7e77667326
SSDEEP

49152:UPYfxkpUJWDQ7cSwMuIdhgT/g9cRi79MAxs9S:UQfyuV7nwdWcuR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2212	svchost.exe
2464	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
776	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup\caps.db	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File created	C:\Program Files (x86)\Common Files\Adobe\backup\caps.db	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File created	C:\Program Files (x86)\Common Files\Adobe\caps\caps.db-journal	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\caps.db	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2464	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2212	3744	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe	84
PID 3744 wrote to memory of 2212	3744	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe	84
PID 3744 wrote to memory of 2212	3744	bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe	84
PID 2212 wrote to memory of 2464	2212	svchost.exe	85
PID 2212 wrote to memory of 2464	2212	svchost.exe	85
PID 2212 wrote to memory of 2464	2212	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2464

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\caps\caps.db

Filesize
25KB

MD5
86ed2df96dcfb1488db4d98c46ce210c

SHA1
95fda3ccda536ef57de36d662d9db5e532007d9d

SHA256
8e26ca94cda14cc783621680daf9f14927c3cef4626a83c2f06b8076727ba965

SHA512
32a3681d564ac336a026d2fbc421f48b803b68f41dbe633d80797faf8404375a7bdaaf31fabc8bfc984f0c189f660a16a148bc172c0d71001434a292abb450bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdd28de1e044c97c3cc701d3218b152b_JaffaCakes118.exe

Filesize
2.6MB

MD5
57fe5ca31c417cac33d3a785f67ebe18

SHA1
12c28f8dd5798ee132c6ba0a179a1ad37dc1fb97

SHA256
8112a6f215470921727627f7fd4491ec94ef4ab6a4fb80f6f122ceaaa83a70b6

SHA512
76d6750b2cbeeed2265cc6fa39dcf54515970d08f60dd39e6e127111cd641574629fa476c17e2f2ccc5f56879b474893b58a4dc5467ff8501cf7d58e51536a31

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/776-31-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/776-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2212-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3744-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download