317c67a7cb21efecae972b2e74d5bddaa5d19f3db0ad094b64b6225df21b2881

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe
Size

176KB
MD5

bec704fd9c74a1fa792bcc7f8952a740
SHA1

9fbbc8bd8b4f7d493b5b8a86cddb106cb082d02d
SHA256

317c67a7cb21efecae972b2e74d5bddaa5d19f3db0ad094b64b6225df21b2881
SHA512

20a834ae27f8f81017eed7e5de40a3103d5884f205d1f18c7dba25e02a58c7aca0c742533c7ad8cb69122d0f458f54f7061e29ff00adb7c89c8a47bd9ad9d072
SSDEEP

3072:DXzv+WutGMFzS7f6nc46WmiJQm7Uj6iJez3YQ+pJza2qQwyU1kADDVi4H:3L0/gCPxrJAAzIpZa2K11i4H

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 1 IoCs

pid	Process
2316	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aston.mt	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aston.mt	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lrpm	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nvaux32.dll	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\user32.dll	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\user32.DLL	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2316	bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bec704fd9c74a1fa792bcc7f8952a740_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\nvaux32.dll

Filesize
284KB

MD5
bffd3a1052b19e013296c7dcba18a998

SHA1
40dbf82e41328fd42f35e3832867d5b3c05ad10b

SHA256
ce4707ba0d1488b80bc6870a7a5839225bb7bd043b9d000190916335e7d14688

SHA512
ecc3ed8ad7b094628773392cc727ee4d6a39dcc3900781ff09ce6c2c63a0303384609595fd9c6f5e2d1148d970ba6f51574f4f2f521bf7d018aaab5f75f8a6e5

Download Submit
memory/2316-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2316-1-0x0000000000401000-0x000000000042D000-memory.dmp

Filesize
176KB

Download
memory/2316-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2316-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2316-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2316-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2316-16-0x0000000000401000-0x000000000042D000-memory.dmp

Filesize
176KB

Download
memory/2316-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download