49159ee1090240bd9e54d593eddfe384e04e5238e0105e2db6d50138a30f492b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe
Size

20KB
MD5

c0536d38575def69a78dded9b3092c91
SHA1

160fa708b50667459a6fe484e378dc4b689de468
SHA256

49159ee1090240bd9e54d593eddfe384e04e5238e0105e2db6d50138a30f492b
SHA512

8d192997837b274ed77cdb80cf9ca655c5f5b68599218b94cb208d43bae90b2ba5d1c9dba339182fc4075701cc4af8db758a0f35a635c39f811a171600133994
SSDEEP

384:m1qW/W7oGOuiowfuryLkAI0XXwMz0vNgs9TO+rN9jYDqObCSxS5Vr:mRqwfu0FIeAMmNj9T1hoWSoV

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\373049E0\ImagePath = "C:\\Windows\\system32\\33DD4C00.EXE -p"	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\33DD4C00.EXE	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delme.bat	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
580	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
580	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 2972	580	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe	31
PID 580 wrote to memory of 2972	580	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe	31
PID 580 wrote to memory of 2972	580	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe	31
PID 580 wrote to memory of 2972	580	c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0536d38575def69a78dded9b3092c91_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\delme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
7c4a08d3a1749d3ffee04f1d342b00a7

SHA1
b02003d114d3715bc5bddc0e73ff8cbedc46a003

SHA256
efead8b03b4eb3fdd09e100b5b3a75eff2b78880289cb59f49d5a5515d069526

SHA512
9bfeab12b1fb8c1b0d8a526c9b0ac8cf3ede56435e8001012f8512b31221d55ddbf89b7b9c8e7c6f3aef0140a2d20e922d73901ccb6d5b110d75c02acb3dddbd

Download Submit
memory/580-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/580-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/580-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/580-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download