Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240802-en
General
-
Target
$_3_.exe
-
Size
1.8MB
-
MD5
77bfacca17ee1d89833b57f3a746d9a0
-
SHA1
aa9490c913489c5eafd02f67f875efcb56d23036
-
SHA256
38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
-
SHA512
21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f
-
SSDEEP
49152:/SNY8H0ZGF5j51XdQTPRPgojx1NslvUOl/WkMWAH:oY00Z8F1XdUL
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $_3_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2536 $_3_.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2536 $_3_.exe 2536 $_3_.exe 2536 $_3_.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 352 2536 $_3_.exe 32 PID 2536 wrote to memory of 352 2536 $_3_.exe 32 PID 2536 wrote to memory of 352 2536 $_3_.exe 32 PID 2536 wrote to memory of 352 2536 $_3_.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\$_3_.exe"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\21418.bat" "C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\""2⤵
- System Location Discovery: System Language Discovery
PID:352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5739fcc7ba42b209fe44bea47e7a8c48f
SHA1bc7a448a7c018133edcf012bc94301623eb42c5b
SHA25669017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA5122b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a
-
C:\Users\Admin\AppData\Local\Temp\E2DA58CC4D534A7E8CDFA5BBC2B03CEF\E2DA58CC4D534A7E8CDFA5BBC2B03CEF_LogFile.txt
Filesize9KB
MD57eca8d501b76136dc225b7abefeee71d
SHA12275684e9fd3cbb616c15475a8b36c594e80e7c7
SHA2567d5ba1a7e013f87e163ded99841cac8675938a4a0773e3367dfc51b8fdbdda32
SHA512737f58572eca89cb27532c276b1df8429feaa9c48a185bbecfa79e29c1f20ac1d037b87f51744cabd6e794db937bfe4de53afdfaa02d4950f458251048a84d01
-
Filesize
118KB
MD5e601af37807d546eee4dd3119284cbdc
SHA19a20ff25c4c9da753d86ebb8d4f30c0e427d003a
SHA256fa88d98f040461e359972962a8d4d149ca6c8a4c0044df3a6446b3d57f4e2813
SHA5124634839e7582ca3c8e89dc01d95318b491a8d746779e33ae361014e2cf40c6c6549ccd8bef9ccca8ecb786eb0f906de3d27fd2bbd637467adb3997bee70b9deb