221ae4bf4c96eadd0853a377fe2747b83401264223f265d925167a687f7afbcf

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
Size

363KB
MD5

d0152335b8a9b870e7186b4915d29dcd
SHA1

90d4b56aa9e245cf0f4ddbaf5d734447268e7f45
SHA256

221ae4bf4c96eadd0853a377fe2747b83401264223f265d925167a687f7afbcf
SHA512

c20e7503a04be5af15f5f24a3f900762ac8842469b2951ffede0c7167beca74e10644a66691d9a9a154092bfbe2eee1979ce08232caeff04379d8a5813c79a21
SSDEEP

6144:IQqX9fNj4FfyhQU3jIDMppZ9VcbLie/AeNH9uzhRXp7eFTNQFF8kvlQxH:A9N0uQU3iKPe4EH9uFQTCmUQB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1328	DLG.exe

Loads dropped DLL 5 IoCs

pid	Process
3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DLG.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	DLG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	DLG.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\IESettingSync	DLG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	DLG.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: 36	1508	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1328	DLG.exe
1328	DLG.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 2428	3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe	84
PID 3424 wrote to memory of 2428	3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe	84
PID 3424 wrote to memory of 2428	3424	d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe	84
PID 2428 wrote to memory of 1508	2428	cmd.exe	87
PID 2428 wrote to memory of 1508	2428	cmd.exe	87
PID 2428 wrote to memory of 1508	2428	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic process call create "C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\DLG.exe -- d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe","C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process call create "C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\DLG.exe -- d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe","C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1508

C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\DLG.exe
C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\DLG.exe -- d0152335b8a9b870e7186b4915d29dcd_JaffaCakes118.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DLG\initWindow\noconnection.html

Filesize
2KB

MD5
c6d5838d332020f4443e0022bd80b311

SHA1
0fa529423919efb7c6355cd3f5343a89629b2354

SHA256
249d55e92d031733c2b8d3c837af7eb9b5f4c07105f724efaef37dc378ef9926

SHA512
9ac73d1e8a8006b4216a3d89ba575b3aa21d8ff04209eced41c48e10d1c7532c987769a6a7e9bc9801b773afdeb743727fc6e82cc9386fe8db47980f807f3f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\DLG.exe

Filesize
569KB

MD5
253abf4e2e0583598965dc06a69be452

SHA1
ef51bd181dc4dfc4fcf2047aab050bf18eaca438

SHA256
a29243b8d8d1f0deeef81703f29fa90c4b477ebb417b7e60cfb0cab78b878a0e

SHA512
d5e5b79e087f0d5c2d52a06928b40095f4cb406e861cbec070aeb5bb46ba8ece0478732f796172e2b0f673e83e098b6a3d342e55947267fbd1f39a58ff353ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw7E87.tmp\nsP7ZIP.dll

Filesize
95KB

MD5
63d1fdac90da45c39b752671bc298e2c

SHA1
62d31cc63912a945e345d3ecd7145b09a74c0ff6

SHA256
6a921cfd66e7ed299c4c97499c9441d57c5b5f1328fa7ef09a11e95d92036710

SHA512
b4be365fbfa43e3970b875ade297c2820d1867bff5e3d3d36f91cc25f41a5e5040ca4057e319830fb5808fc2f9f42a2b7fcef8007ac668e9cf62a98a38891b86

Download Submit
memory/1328-31-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1328-58-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download