bbb22991314089d6c74c291a6d761337901e8c2ccde8e59cf583b8cbad441a38

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c864798e774b654e85ad120906616059_JaffaCakes118.exe
Size

897KB
MD5

c864798e774b654e85ad120906616059
SHA1

5a436dabd76ac00e9ca5326bc53c70792ef6bf80
SHA256

bbb22991314089d6c74c291a6d761337901e8c2ccde8e59cf583b8cbad441a38
SHA512

9fd3b445ae83f702bac82063fc99b172e331c5234db5da217caead597ac73d99fcbb58bc987819719ad0f654bbd053786d7199fb747522150f69ee6a6e27f8ab
SSDEEP

24576:2QTmcjdltUibSrj7FwOJ/EkE8laHp8BxxJaeVN8t+Ll:qQltFb86ENlasWeVN8t+x

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	checkip.dyndns.org

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c864798e774b654e85ad120906616059_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2056	c864798e774b654e85ad120906616059_JaffaCakes118.exe
2056	c864798e774b654e85ad120906616059_JaffaCakes118.exe
2056	c864798e774b654e85ad120906616059_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2056	c864798e774b654e85ad120906616059_JaffaCakes118.exe
2056	c864798e774b654e85ad120906616059_JaffaCakes118.exe
2056	c864798e774b654e85ad120906616059_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c864798e774b654e85ad120906616059_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c864798e774b654e85ad120906616059_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Configuration\LineXCfg.lx

Filesize
61B

MD5
a896f25ccff844ab3d4a1aa9130ed90d

SHA1
91ee9817a69f856b140aa9e170c168f74754bd49

SHA256
3b9abe8c69950a4828f515703492c758d57b7a5b4db0423d3208e04f3eae59a3

SHA512
48b44779cf6fe35ac1662c5a43a45188e55a7f76f5c1698dca4461cda150f77e3e97a3e48ffd0508c1b636bb0297c03bf9b71c5379a9b85a0d49727a871eb245

Download Submit
memory/2056-0-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2056-2-0x000000000058A000-0x0000000000669000-memory.dmp

Filesize
892KB

Download
memory/2056-1-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2056-3-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2056-8-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2056-15-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download