374f94bc94a6eebc3f8784085f361a30a8caba2c2c60c84572cea8933c3f6e49

Analysis

max time kernel
99s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
Size

1.7MB
MD5

c1e63560dc0c632686e1c2f6fb40775a
SHA1

08eda0406a0383005ff7a60966e032afebe0d2ab
SHA256

374f94bc94a6eebc3f8784085f361a30a8caba2c2c60c84572cea8933c3f6e49
SHA512

f5d35dfab8fc78584187b21c63887530f57ff9025fce65059a4a004d3c1b490bbfb20fb39c3b23a7bcd70113ff90e5616c4c20bd349d686ec82f2ba74868f311
SSDEEP

24576:LUvxLsmtUuoX5382om3Cg/iDfPc/7tNETop2FmYaS0LtVOmvjkiSs9OfccyM4NQf:oJ7WuW5XgTK7th2jaSYtgySWNI4gF

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2044	wrar393.exe
688	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
688	setup.exe
688	setup.exe
688	setup.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrar393.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	wrar393.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	wrar393.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2044	wrar393.exe
2044	wrar393.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2044	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2044	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2044	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2044	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2044	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2044	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2044	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	29
PID 2944 wrote to memory of 688	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 688	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 688	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 688	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 688	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 688	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 688	2944	c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe	30
PID 688 wrote to memory of 1524	688	setup.exe	31
PID 688 wrote to memory of 1524	688	setup.exe	31
PID 688 wrote to memory of 1524	688	setup.exe	31
PID 688 wrote to memory of 1524	688	setup.exe	31
PID 688 wrote to memory of 1524	688	setup.exe	31
PID 688 wrote to memory of 1524	688	setup.exe	31
PID 688 wrote to memory of 1524	688	setup.exe	31
PID 1524 wrote to memory of 2536	1524	cmd.exe	33
PID 1524 wrote to memory of 2536	1524	cmd.exe	33
PID 1524 wrote to memory of 2536	1524	cmd.exe	33
PID 1524 wrote to memory of 2536	1524	cmd.exe	33
PID 1524 wrote to memory of 2536	1524	cmd.exe	33
PID 1524 wrote to memory of 2536	1524	cmd.exe	33
PID 1524 wrote to memory of 2536	1524	cmd.exe	33
PID 2916 wrote to memory of 2756	2916	taskeng.exe	35
PID 2916 wrote to memory of 2756	2916	taskeng.exe	35
PID 2916 wrote to memory of 2756	2916	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\ wrar393.exe
  "C:\Users\Admin\AppData\Local\Temp\ wrar393.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\ setup.exe
  "C:\Users\Admin\AppData\Local\Temp\ setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c at 00:22 C:\Windows\system32\cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\ setup.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\at.exe
      at 00:22 C:\Windows\system32\cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\ setup.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536

C:\Windows\system32\taskeng.exe
taskeng.exe {FEAAF8EF-0CB8-4CC3-9313-76B69ACA9941} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\ setup.exe"
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ setup.exe

Filesize
380KB

MD5
aa78e0ac5cb33a254fe18f516543ece5

SHA1
96aa657d4e85f42a2a783387224010f38b5268af

SHA256
647a0483cf74f4099112267004494809a8333165951f705c07978ab114e6d0e0

SHA512
3dd5ca02a410c263256b927d3f87ef768657bf482a9e0b237b599e26274ec9491f7b1a8c8e14ca450f00e89d177f8aa5f2e599201020b2d984c90497dab10ba2

Download Submit
\Users\Admin\AppData\Local\Temp\ wrar393.exe

Filesize
1.3MB

MD5
b3b121ccac92a71152d3aa6a783927d4

SHA1
b51e3dcd8edaad1cb77550a9cfd6266c4925c630

SHA256
31c84f5d740eb7b497fcfd5e963123d0a1a94afe6edfd18cfc23b2d1234078fb

SHA512
e8f1308aed05f027eace8b0d6dd8a0e4d391748f822a6e665a4e46b88a9f2bf278d3b93c884bdf66b6c94be1223ec7d5ad60fd149a9e20b47b96c56a235cea39

Download Submit
memory/688-15-0x00000000743F2000-0x00000000743F4000-memory.dmp

Filesize
8KB

Download