156cb3c66fe19179f109c0e43ce0c69f046e85d5bb01b13ce9800598591b1edf

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
Size

4.0MB
MD5

c290972218030f7f540eba7bd91cdbb9
SHA1

ae8337650eeeee02350533d65d2e145045f15193
SHA256

156cb3c66fe19179f109c0e43ce0c69f046e85d5bb01b13ce9800598591b1edf
SHA512

5e9cf0373fce8ebd3df52c0647291155b064a4376dffc07bdc9e57f888f4c5b6474e654cf954d57cfa14b96df468330ef1ea397ac2a8b7583068222b58a8b060
SSDEEP

98304:kkj5M5oYaD5xIpG/+w/dFzljFAreh5LcQAVXvNNrozeEOvyq:k++5oKpG/jdNljC2LQXlNthqq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1976	Actualizar.exe

Loads dropped DLL 5 IoCs

pid	Process
1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Actualizar.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	Actualizar.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1976	1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe	31
PID 1488 wrote to memory of 1976	1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe	31
PID 1488 wrote to memory of 1976	1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe	31
PID 1488 wrote to memory of 1976	1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe	31
PID 1488 wrote to memory of 1976	1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe	31
PID 1488 wrote to memory of 1976	1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe	31
PID 1488 wrote to memory of 1976	1488	c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Actualizar.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Actualizar.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Actualizar.exe

Filesize
644KB

MD5
cdc260f652805885f102aadead923a67

SHA1
b80f6f7558f38e99f019451b8e8fe524d7978181

SHA256
79bf74a2292c056ac40e8d842a6f120567d0b9d9ca093eb96653f2f13c764e56

SHA512
5eff89e17d761a8555bd4bd69d6f834bbcb27be130278e6ebd60065e23cd629e960214268b683cfa58dba5276ba83541f3f410dc738d96d053cb828894e55141

Download Submit