d630948120e1f39e3fe69e34ea8f5b3cd3d59d330cb84df34088b9e9cecc2133

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
Size

24KB
MD5

c985ab66f55ec0c4850218087165bee4
SHA1

6ab9c1b989235ea5c3c56b6a0b8deed6e1cf5a39
SHA256

d630948120e1f39e3fe69e34ea8f5b3cd3d59d330cb84df34088b9e9cecc2133
SHA512

ebf6b8a3df4e89527c07b98d690093fc7df9a6c17b30275602a41c36f3f958b0a3bc313f4514ba832bc4a2346d05384c4b927b577a4897f994907351fcb9026d
SSDEEP

384:E3eVES+/xwGkRKJ89RlblM61qmTTMVF9/q5x0:bGS+ZfbJMRNO8qYoAu

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2888	tasklist.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1200	ipconfig.exe
2716	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	tasklist.exe
Token: SeDebugPrivilege	2716	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
2652	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2372	2652	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2372	2652	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2372	2652	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2372	2652	c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe	31
PID 2372 wrote to memory of 2304	2372	cmd.exe	33
PID 2372 wrote to memory of 2304	2372	cmd.exe	33
PID 2372 wrote to memory of 2304	2372	cmd.exe	33
PID 2372 wrote to memory of 2304	2372	cmd.exe	33
PID 2372 wrote to memory of 1200	2372	cmd.exe	34
PID 2372 wrote to memory of 1200	2372	cmd.exe	34
PID 2372 wrote to memory of 1200	2372	cmd.exe	34
PID 2372 wrote to memory of 1200	2372	cmd.exe	34
PID 2372 wrote to memory of 2888	2372	cmd.exe	35
PID 2372 wrote to memory of 2888	2372	cmd.exe	35
PID 2372 wrote to memory of 2888	2372	cmd.exe	35
PID 2372 wrote to memory of 2888	2372	cmd.exe	35
PID 2372 wrote to memory of 2168	2372	cmd.exe	37
PID 2372 wrote to memory of 2168	2372	cmd.exe	37
PID 2372 wrote to memory of 2168	2372	cmd.exe	37
PID 2372 wrote to memory of 2168	2372	cmd.exe	37
PID 2168 wrote to memory of 2676	2168	net.exe	38
PID 2168 wrote to memory of 2676	2168	net.exe	38
PID 2168 wrote to memory of 2676	2168	net.exe	38
PID 2168 wrote to memory of 2676	2168	net.exe	38
PID 2372 wrote to memory of 2716	2372	cmd.exe	39
PID 2372 wrote to memory of 2716	2372	cmd.exe	39
PID 2372 wrote to memory of 2716	2372	cmd.exe	39
PID 2372 wrote to memory of 2716	2372	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c985ab66f55ec0c4850218087165bee4_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1200
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
558ceebbde4a2a685ff065d28e23451c

SHA1
e08e2f22721f6f5e17f6b57fc38b5460fe4e3e81

SHA256
49eb12f0268e07f0b4d313bcccfc7049e65eb689e2aeb09460ee335f1e90e901

SHA512
d04b3fecf250a7e90f60c5981538d8975687e5f14367e1157a5d255ab6931a0101d56f2176f70136898b27f2a4acc810a2513e6e9c896d2abb98607a62da72b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads