b68e6bf4696b566055d30a0ccdf35b784b725fe3d30dfce396612fc8058aace3

Analysis

max time kernel
142s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe
Size

1.5MB
MD5

c3ac6788e749c433eaf7cd17b0aee92e
SHA1

58abb9cb9844d8248bab92901571e5069e9f655d
SHA256

b68e6bf4696b566055d30a0ccdf35b784b725fe3d30dfce396612fc8058aace3
SHA512

6e80a5d9a01dde067b5b367d7ed096b168f9f9513904dc35538767331a37c8524721c2d7958ebb33197051da747fbf65471dae34dd0e9675ae3338fd57a036b4
SSDEEP

24576:Ib77WAYBBAEXsG0gj26ohW8jKXe54V+N9ntS/eve+cHE/se:ICAMsG0nlh5jt9cHE/

Score

10^/10

discovery trojan

Malware Config

Signatures

Detects BazaLoader malware 3 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

trojan

resource	yara_rule
behavioral2/files/0x0002000000022f9b-5.dat	BazaLoader
behavioral2/memory/1992-16-0x0000000000460000-0x00000000005F0000-memory.dmp	BazaLoader
behavioral2/memory/4696-17-0x0000000000400000-0x0000000000511000-memory.dmp	BazaLoader

Executes dropped EXE 1 IoCs

pid	Process
4696	install.exe

Loads dropped DLL 1 IoCs

pid	Process
4696	install.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	\??\c:\windows\ppsetis.dll	c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe
File created	\??\c:\windows\ppsetis.ini	c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe
File created	\??\c:\windows\SETUP_9X.INF	install.exe
File created	\??\c:\windows\TVicCommSpy.ocx	install.exe
File created	\??\c:\windows\TVICCOMM.VXD	install.exe
File created	\??\c:\windows\install.exe	c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe
File created	C:\WINDOWS\system\svchost.exe	install.exe
File created	\??\c:\windows\SETUP_NT.INF	install.exe
File created	\??\c:\windows\TVicComm.sys	install.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4696	1992	c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe	88
PID 1992 wrote to memory of 4696	1992	c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe	88
PID 1992 wrote to memory of 4696	1992	c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3ac6788e749c433eaf7cd17b0aee92e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- \??\c:\windows\install.exe
  c:\windows\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\install.exe

Filesize
1.0MB

MD5
4633553ac82bed9acd29429c03ff7b89

SHA1
37da199a8801a3eaa3fc18771a1d942f44121ca3

SHA256
4cf15b8ba1dc2de2f0d3c835dc5a98ab406ad2bf4b62db8962bd72c627f5d2d7

SHA512
712d07417e27c7545209dd0edb26435d1efc4e079bb15229719215752cfdb4c533532284c3225fdea1d7a1ca18824e3a84a0572375ab06381ff7cec0e1876259

Download Submit
\??\c:\windows\ppsetis.dll

Filesize
112KB

MD5
74e1f47727ad9c4553858e34dce94aa5

SHA1
1f1a93f1be04364b065fafe90667f80cb4ffb201

SHA256
5b61bc55bb243a8192f5bf7a589a53c1e6e5fd251c4c31878bf7ae45070a8e92

SHA512
5425976071f9885c47a15f26820d57512364ca579be26bcaebcdbb2cfe690a77ba89b485cddfd8af1d48dcb0218260630d5bd71b44273636d3ae757961af76d4

Download Submit
memory/1992-0-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1992-16-0x0000000000460000-0x00000000005F0000-memory.dmp

Filesize
1.6MB

Download
memory/4696-9-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4696-18-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4696-17-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download