2b1a950e0bb9b5b0d9dcaca6178649e0411d6ac489539d3fc4b1001deabc6f2a

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 00:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe
Size

1.2MB
MD5

c1f2be963c848a4f3661d98503b7dcb7
SHA1

daa9405a6cae2d6aaf0c26f32a112e4887aff6bd
SHA256

2b1a950e0bb9b5b0d9dcaca6178649e0411d6ac489539d3fc4b1001deabc6f2a
SHA512

153f25f415d49c01717b0b720cfdc768e558c9e0df08fb15cab3dde9fe300dd8a172ba3ef5ad3433c68724587503c84ede80fae18050f27573c184f9c070aebf
SSDEEP

24576:QZMlWVQQO8FLAZD6V5avE3XUBaLRK1kVehRJ9+AQ8/eG3npeZrI:Q2xsLA1BE3XUBac6ehb9+HeZi

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\pRogram Files\svchost.exe	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe
File opened for modification	C:\pRogram Files\svchost.exe	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.BAT	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe
Token: SeDebugPrivilege	3060	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2896	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2896	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2896	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2896	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2896	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2896	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe	32
PID 2540 wrote to memory of 2896	2540	c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1f2be963c848a4f3661d98503b7dcb7_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

C:\pRogram Files\svchost.exe
"C:\pRogram Files\svchost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\svchost.exe

Filesize
1.2MB

MD5
c1f2be963c848a4f3661d98503b7dcb7

SHA1
daa9405a6cae2d6aaf0c26f32a112e4887aff6bd

SHA256
2b1a950e0bb9b5b0d9dcaca6178649e0411d6ac489539d3fc4b1001deabc6f2a

SHA512
153f25f415d49c01717b0b720cfdc768e558c9e0df08fb15cab3dde9fe300dd8a172ba3ef5ad3433c68724587503c84ede80fae18050f27573c184f9c070aebf

Download Submit
C:\Windows\uninstal.BAT

Filesize
218B

MD5
2f7c348ad1ab913aae80280d35754fd1

SHA1
ed2975786d3cb68ac572faf2c2e8c490a8930e90

SHA256
9abaeba940715972bc96fb35e5bed50416307867f352d9c1b8da99d88164a5e7

SHA512
7ff1c8ee2d0dc102bc87ef398ce60862de5f15201641db098ee86ebebf48e3f83bbdfa05f8f42069785ca471f6f7c62274fb2f12eb1a59c62dcd1bca3f755807

Download Submit
memory/2540-0-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2540-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2540-14-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3060-5-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3060-6-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3060-16-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3060-17-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download