115f0f0a628a4245941de8e7b0c0c1625dceef134e566a983ac6af236fa064cf

Analysis

max time kernel
133s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
Size

241KB
MD5

c2551e6ee51c109bc530e3c9dadce309
SHA1

46f6fbbedc051331d714a5f9a9903474f4e3d83c
SHA256

115f0f0a628a4245941de8e7b0c0c1625dceef134e566a983ac6af236fa064cf
SHA512

b161eb190ac3545b16fc6ffba4fc45fa6559138228888a788deb530b07f7fe2acf0c300d0d18c67e39442d470cf9eb5612477ca782eedd22715fd279a89f5818
SSDEEP

3072:wAWEqcrBSP8OroaUTpF8j0DGh/YV7TFGkbGO+NB76QABgbAQAtt:wkZQ8Orol8/hAVFjGHNB76QZ6

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4800	WMIC.exe
Token: SeSecurityPrivilege	4800	WMIC.exe
Token: SeTakeOwnershipPrivilege	4800	WMIC.exe
Token: SeLoadDriverPrivilege	4800	WMIC.exe
Token: SeSystemProfilePrivilege	4800	WMIC.exe
Token: SeSystemtimePrivilege	4800	WMIC.exe
Token: SeProfSingleProcessPrivilege	4800	WMIC.exe
Token: SeIncBasePriorityPrivilege	4800	WMIC.exe
Token: SeCreatePagefilePrivilege	4800	WMIC.exe
Token: SeBackupPrivilege	4800	WMIC.exe
Token: SeRestorePrivilege	4800	WMIC.exe
Token: SeShutdownPrivilege	4800	WMIC.exe
Token: SeDebugPrivilege	4800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4800	WMIC.exe
Token: SeRemoteShutdownPrivilege	4800	WMIC.exe
Token: SeUndockPrivilege	4800	WMIC.exe
Token: SeManageVolumePrivilege	4800	WMIC.exe
Token: 33	4800	WMIC.exe
Token: 34	4800	WMIC.exe
Token: 35	4800	WMIC.exe
Token: 36	4800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4800	WMIC.exe
Token: SeSecurityPrivilege	4800	WMIC.exe
Token: SeTakeOwnershipPrivilege	4800	WMIC.exe
Token: SeLoadDriverPrivilege	4800	WMIC.exe
Token: SeSystemProfilePrivilege	4800	WMIC.exe
Token: SeSystemtimePrivilege	4800	WMIC.exe
Token: SeProfSingleProcessPrivilege	4800	WMIC.exe
Token: SeIncBasePriorityPrivilege	4800	WMIC.exe
Token: SeCreatePagefilePrivilege	4800	WMIC.exe
Token: SeBackupPrivilege	4800	WMIC.exe
Token: SeRestorePrivilege	4800	WMIC.exe
Token: SeShutdownPrivilege	4800	WMIC.exe
Token: SeDebugPrivilege	4800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4800	WMIC.exe
Token: SeRemoteShutdownPrivilege	4800	WMIC.exe
Token: SeUndockPrivilege	4800	WMIC.exe
Token: SeManageVolumePrivilege	4800	WMIC.exe
Token: 33	4800	WMIC.exe
Token: 34	4800	WMIC.exe
Token: 35	4800	WMIC.exe
Token: 36	4800	WMIC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3944	1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe	84
PID 1976 wrote to memory of 3944	1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe	84
PID 1976 wrote to memory of 3944	1976	c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe	84
PID 3944 wrote to memory of 4800	3944	cmd.exe	87
PID 3944 wrote to memory of 4800	3944	cmd.exe	87
PID 3944 wrote to memory of 4800	3944	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2551e6ee51c109bc530e3c9dadce309_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic computersystem get model /format:list
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsmB028.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB028.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB028.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB028.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB028.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit