ce4837485f5d54a02a0e361edc72c31b5bf2e6213a164269a4f6732fb36c9cd1

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe
Size

72KB
MD5

cf63d7dc398d4f73939a19596f46b406
SHA1

c9a789df9ece5c2ee103a0c846fce801fdfcb787
SHA256

ce4837485f5d54a02a0e361edc72c31b5bf2e6213a164269a4f6732fb36c9cd1
SHA512

b0c26ccefa60f9ca28b623f5677384291c0f639742ce3a91ac0e08b4151e25d9b00c0be77bc05086f3a91ad1501663d2413f837fba0b35db4dd8ddf0470a14dc
SSDEEP

768:VtosQs9qYCHT5AGX3Pf+E6ybnCEaUfCtkJULwCCudFnToIf1lWgV8srWcyxgjX:DFcYb6bdaU6tkkfdFnToIfBJ1yxi

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ODBC.log	svchost.exe
File created	C:\Windows\addins\svchost.exe	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe
File opened for modification	C:\Windows\addins\svchost.exe	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe
File created	C:\Windows\ODBC.log	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2656	2932	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2656	2932	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2656	2932	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2656	2932	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2656	2932	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2656	2932	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2656	2932	cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2780	2800	svchost.exe	34
PID 2800 wrote to memory of 2780	2800	svchost.exe	34
PID 2800 wrote to memory of 2780	2800	svchost.exe	34
PID 2800 wrote to memory of 2780	2800	svchost.exe	34
PID 2800 wrote to memory of 2780	2800	svchost.exe	34
PID 2800 wrote to memory of 2780	2800	svchost.exe	34
PID 2800 wrote to memory of 2780	2800	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf63d7dc398d4f73939a19596f46b406_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c md "C:\Windows\addins"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656

C:\Windows\addins\svchost.exe
"C:\Windows\addins\svchost.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c md "C:\Windows\addins"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TempChong

Filesize
84B

MD5
7909c841acc12506f10a467aef6afe92

SHA1
52fc1ca6c5750b75bf11c5fe25c68986358030ec

SHA256
9d620d9b59fedd9cf5198678b0d045c15d71b214a54d92457c696e1805864607

SHA512
1de4056af78a293f6393d37cee3e056c7fc5a4d14c446ef3e54a00fce5e8d0b7094f8232095a2ce67740db914fec1d8071df32c13551b885c77f96e535381cdb

Download Submit
C:\Windows\addins\svchost.exe

Filesize
44.2MB

MD5
9dc7b12109a9549240696ab6b2ebba2f

SHA1
ab94d0ce240e862e1658f75c76a3bf3a9f25a183

SHA256
16ce9ab66b42d0d21eefd49e40aae45cf4e1301ea41c596c60693f7780284996

SHA512
7230a595dd7c9e5fb19b93d6961bc3e3d6799e8f5941f750d0923658de59e7fd74f2f45428770839cb05879eb74622fa993ea0dfd8b8e4d8bdf77094d0b20e9e

Download Submit