03961b488ac9a29a67b461cd4034ef352858533d427dd56ab8f5ffcf08957104

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
Size

14KB
MD5

cfb422e606a0550e8190ca632d885abb
SHA1

b4be180b680d83c094744f5557654a499e33af5f
SHA256

03961b488ac9a29a67b461cd4034ef352858533d427dd56ab8f5ffcf08957104
SHA512

ef02c9d3b11640bbff0442f6a5be1c44fe3e38756875a6a2b63ec899efedc71f78cd16b8b5f7bc4d19f3941520211bbfb75d79d520033cceb384e5ea458b9764
SSDEEP

192:zRaZ4+jL2qldwxCUY9oxZHLw+cTOpmmeQRu6UhVIsTEbH8Zg3PAJeExybIuQwKXi:zRY4+n2idl96pyVQl4JrxC6uuBNEr

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdndn.dll	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xdndn.dll	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jkhjsd.dll	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jkhjsd.dll	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fydgky.dll	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fydgky.dll	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xdndn.cfg	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1228	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	21
PID 2728 wrote to memory of 1228	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	21
PID 2728 wrote to memory of 452	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	17
PID 2728 wrote to memory of 452	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	17
PID 2728 wrote to memory of 3040	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	30
PID 2728 wrote to memory of 3040	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	30
PID 2728 wrote to memory of 3040	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	30
PID 2728 wrote to memory of 3040	2728	cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe	30

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:452

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\cfb422e606a0550e8190ca632d885abb_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\xdndn.dll

Filesize
29KB

MD5
a5c90005f0bcf4b8fd528a37d717210c

SHA1
e45253e049755aca8cafcf1add1ca21505541552

SHA256
c738987cb1c2a1e7877863c2fbbcf850b678908a97883c6f63136a2077d4368b

SHA512
59f853f17e8b318604e1373c8b48d01e9d05a40977d1699d7a6b0fd2c86f8ddbf60c566fc62958edb35ab974703022b4670a2b80bd209551883ef34d9589b377

Download Submit
memory/1228-6-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2728-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download