a1eab63dc61cad612ca73aadd3bb8a7e1de2f154909ff5378992a6e617f69ddb

Analysis

max time kernel
32s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 13:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe
Size

281KB
MD5

c8ddc2156277f4b8aa55564787edace0
SHA1

352052d0881acc0ca7a42d4bf60b81c44b7e15b4
SHA256

a1eab63dc61cad612ca73aadd3bb8a7e1de2f154909ff5378992a6e617f69ddb
SHA512

ed863ac1a7e15b758c1ab13d48a137d4914c4b247e68c3b307cc5e2d3d17115e2ab7ae30978e89f742bef819a6c26fec6fa323fccdc71b6ae7de371e445ee8dd
SSDEEP

6144:EmQ8Ufw/M/eUfTWOP9uo51oe1jfohAjLdO9E1vO/hD3lMZBperIh+8:2w/lUb7oeCovO/ZVMZBpec

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	svohst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svohst.exe	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svohst.exe	svohst.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svohst.exe	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svohst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2788	2540	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2788	2540	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2788	2540	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2788	2540	c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8ddc2156277f4b8aa55564787edace0_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Windows\SysWOW64\svohst.exe
C:\Windows\SysWOW64\svohst.exe -NetSata
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
52ad0bbb678d2d67cd3875bea873949d

SHA1
e686f9d0d854c19f466483112db6f7b35fe84483

SHA256
c7faa87a3e80428c9367d9e3a4db4041506b960fd8d742eee4275106053df3c8

SHA512
d41286dec94f75b1a399fc639ac8c6f25e4cbfd66e9f63b3c336100e267a78be68a7e48240ac4a1f6c8436d5b188d74d8c4e2144bc21d72dbeefe659f67af76a

Download Submit
C:\Windows\SysWOW64\svohst.exe

Filesize
281KB

MD5
c8ddc2156277f4b8aa55564787edace0

SHA1
352052d0881acc0ca7a42d4bf60b81c44b7e15b4

SHA256
a1eab63dc61cad612ca73aadd3bb8a7e1de2f154909ff5378992a6e617f69ddb

SHA512
ed863ac1a7e15b758c1ab13d48a137d4914c4b247e68c3b307cc5e2d3d17115e2ab7ae30978e89f742bef819a6c26fec6fa323fccdc71b6ae7de371e445ee8dd

Download Submit
memory/1644-6-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1644-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1644-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2540-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2540-1-0x000000000047E000-0x000000000047F000-memory.dmp

Filesize
4KB

Download
memory/2540-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2540-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download