ca5cf4d992edd06dba1dc111bf62894c359d47127266f49a23904934c3939ef9

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 09:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe
Size

378KB
MD5

cf31e5f86a2597674bdc0d20bf977d8e
SHA1

115d96043f9921f1a021dac144882ab7df55b647
SHA256

ca5cf4d992edd06dba1dc111bf62894c359d47127266f49a23904934c3939ef9
SHA512

f3f84813871dc578d9fd2a59b50f53e8b5b16f7d9ceb43ac0c288d6a32b5bb49371d3b7f3e2e72f46c572f3aed0b4491a07518c35f09e9c78e70d2099b0fcd9b
SSDEEP

6144:BfO9U+k6d/IVqQhPBDGfn8HGlNZJV3zer5pmJ/cSqIe3W2HJVOCaZQUdLeonr:c9UgtQhDHGV/KrTmJ/XqIem28QCDr

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	ldwc.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRM = "C:\\Users\\Admin\\AppData\\Local\\WinRM.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2776	2564	ldwc.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Runs .reg file with regedit 1 IoCs

pid	Process
2208	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1656	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE
1656	EXCEL.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2732	2644	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2732	2644	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2732	2644	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2732	2644	cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 1656	2732	cmd.exe	32
PID 2732 wrote to memory of 2564	2732	cmd.exe	33
PID 2732 wrote to memory of 2564	2732	cmd.exe	33
PID 2732 wrote to memory of 2564	2732	cmd.exe	33
PID 2732 wrote to memory of 2564	2732	cmd.exe	33
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2564 wrote to memory of 2776	2564	ldwc.exe	34
PID 2776 wrote to memory of 2208	2776	svchost.exe	35
PID 2776 wrote to memory of 2208	2776	svchost.exe	35
PID 2776 wrote to memory of 2208	2776	svchost.exe	35
PID 2776 wrote to memory of 2208	2776	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf31e5f86a2597674bdc0d20bf977d8e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ldwc.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1656
- - C:\Users\Admin\AppData\Local\Temp\ldwc.exe
    "C:\Users\Admin\AppData\Local\Temp\ldwc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe "C:\Users\Admin\AppData\Local\Temp\ldwc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.XLS

Filesize
274KB

MD5
a8f5a15bd48765d45b5892831cf6e3ad

SHA1
269511ff8aed590aa78d15de949d2500b699f360

SHA256
c5d4e3cf03b0bb55c1c9a8747c0a78b20695848e46d1539b66bc98f945eb2782

SHA512
b6a94aae92cd30d49f25176d1c902d8b79a3f789f4974605e9f8a127c28edc61105cb5d89ef763072719014fd12ed35c5d77a46f7e327bc3064edfc03008aba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldwc.bat

Filesize
30KB

MD5
cdc511797f0a2a7ccc9c98b0e23cced6

SHA1
ebb2a3995c60360736c149439c10b53d8a5d8208

SHA256
86a7fb087b3159afe94f22af50f920f73b050721a963420f974ed6b0ce6e9f98

SHA512
861c2be319173a94a0c949af40b6d06bec2da0adc10b81834c090cb767d7fa64ace44db5194703650fe0b4e6fb1ab707e50fdec816941822caac7f290f0f732a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldwc.exe

Filesize
36KB

MD5
996376a04c664c6e762f78e98b505b92

SHA1
7b01c9a52bdafd1b2d96cecde9053b06e537d7b6

SHA256
55cf68d7c6884777f7e39c939c4ec10d97f2d9fa825d6e6570f541726310d2b4

SHA512
b7c7b1575fd6080670cac6c36b908f44113403a23031515bb701ac5ad6b5b8290ce97797e33cbe0c108148700dfccc234e12c6e82850451c74e750e8b6486a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
4KB

MD5
2be064f48a055a26202c86fc075640eb

SHA1
c8bde7ea195c1ad7a15c7141d58310b3a6cc8858

SHA256
80816c46c49e47d4e048a6a00c1816b39b7c68de298fef029eade88f1592376a

SHA512
4ef352bd51fb25940f3064e8412df0f2b206758d478c2e1dc154783215b8a6e25d70d26d686815b6ab18a465d5860b73c349b50fc1c9eb258c46c30356f5b017

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
162B

MD5
ac2172a4d99e15c7748475684bb258f1

SHA1
fc1d00e84479d16b41549918f47898b82f462623

SHA256
2b888cf96d7116c7c52c1c693eadfcb2e1a037a72bb51f060eabcf235160ce72

SHA512
63d65d9230b0e8431192c7ff5124af539bf0b14923c246469e28be2c0750c57c35491337a7b6beda6ecdfe7226c8035c91d72662bb7aa7586cbe9a71a120ec71

Download Submit
memory/1656-1033-0x00000000722AD000-0x00000000722B8000-memory.dmp

Filesize
44KB

Download
memory/1656-1032-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1656-1038-0x00000000722AD000-0x00000000722B8000-memory.dmp

Filesize
44KB

Download
memory/1656-1039-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1656-1040-0x00000000722AD000-0x00000000722B8000-memory.dmp

Filesize
44KB

Download
memory/2564-1059-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2564-1047-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2732-1045-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2732-1044-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2776-1056-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-1058-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2776-1054-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2776-1052-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2776-1050-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2776-1048-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2776-1062-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2776-1063-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2776-1066-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads