20b63057dc3181241c41843e73eb552b4e76a16c028b5d71ab8157fc00ba492d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe
Size

138KB
MD5

cf9714e733c55db0d955bf239246d360
SHA1

bda44680d14e92de32af386e261ec6024a7b641a
SHA256

20b63057dc3181241c41843e73eb552b4e76a16c028b5d71ab8157fc00ba492d
SHA512

289540610f467ea78103a80cc65c33320ea48a5edd1f06d31187ac73ea610df88fed8a407ceba08486b656df05cdf0883671efdcfc5e8bc47495b5aa0f936de5
SSDEEP

1536:NPljgLoXRMscZcRGlA339CY5eFCcnhTkfsu0b2b1cSucnsWjcdq5Dt4zn5AFYd6q:NPluZcgAdz5eIcxb2bkZq5DtgKYd6q

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3032	1984	cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf9714e733c55db0d955bf239246d360_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\\ca0f0994-652a-4fcd-9805-1d32c2dcad28\\progress.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ca0f0994-652a-4fcd-9805-1d32c2dcad28\loader.gif

Filesize
2KB

MD5
dc71cfccfa7f7433acdbeb1d05f535da

SHA1
1021a1704407b3c8e9179f41da0d75c1336764b4

SHA256
5c675af293b13db61c983482ed0d532681c9f3b8504118759b20e0b4f212741e

SHA512
4b657ce57e7aa60439da2c1f53befdd2409de2668b0a7c7a04bdaeca39fd9c05eb5ea78608182fdb78bb5ac08e67a6dd563407e6eb017656713d29bfb27eca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca0f0994-652a-4fcd-9805-1d32c2dcad28\progress.hta

Filesize
856B

MD5
125daf8247d542e5ce80923d9f013626

SHA1
0150ff97dabada2c2cad294dba97881bbb3dc33c

SHA256
8ec749e27ea3c663de0a86b6123a875ac001accc48ea7191e79ae51036961bac

SHA512
40f05ffbaf28114a1c3295b7b98d5857d132b968b7cf6fa3dd03579985866482bd4b96cae12a7a430acf98f6fd6187ac4285aa83bb0e12bdbcd39e7dd0051397

Download Submit