841602e9b3432a87ecb3a38d2c1785937c1d292787e35e2191befa7059ac55e5

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
Size

468KB
MD5

d1061c5a0f24983cfa92eb5ce5fb0d3d
SHA1

617f7044f18dabf4d1bac25819d43df6e6563daf
SHA256

841602e9b3432a87ecb3a38d2c1785937c1d292787e35e2191befa7059ac55e5
SHA512

f0264a318aa50462fa9be21e0462c79fd5a91324f83464ab8f18bf87f65c25d7b0b1577f371a04a1c691d8d4fad71cf23d8b88a651a1a9ef4bae05ca808a34a0
SSDEEP

3072:V3e353scApo2zZtScJyEMJUBvgunWYviL1yeaULeZIKe8czEnB:O8NTzDFpMJUBgxYvipyeTy79B

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2928	259458132.tmp
2192	app.exe

Loads dropped DLL 5 IoCs

pid	Process
1908	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
1908	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
2928	259458132.tmp
2928	259458132.tmp
2192	app.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bak8011252.log	259458132.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\62006.vbs	259458132.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	259458132.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32\ = "="	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\	app.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	259458132.tmp
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe
2192	app.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1568	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2928	1908	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2928	1908	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2928	1908	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2928	1908	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe	31
PID 2928 wrote to memory of 2724	2928	259458132.tmp	32
PID 2928 wrote to memory of 2724	2928	259458132.tmp	32
PID 2928 wrote to memory of 2724	2928	259458132.tmp	32
PID 2928 wrote to memory of 2724	2928	259458132.tmp	32
PID 2928 wrote to memory of 2632	2928	259458132.tmp	33
PID 2928 wrote to memory of 2632	2928	259458132.tmp	33
PID 2928 wrote to memory of 2632	2928	259458132.tmp	33
PID 2928 wrote to memory of 2632	2928	259458132.tmp	33
PID 2928 wrote to memory of 2192	2928	259458132.tmp	35
PID 2928 wrote to memory of 2192	2928	259458132.tmp	35
PID 2928 wrote to memory of 2192	2928	259458132.tmp	35
PID 2928 wrote to memory of 2192	2928	259458132.tmp	35
PID 2632 wrote to memory of 1044	2632	cmd.exe	36
PID 2632 wrote to memory of 1044	2632	cmd.exe	36
PID 2632 wrote to memory of 1044	2632	cmd.exe	36
PID 2632 wrote to memory of 1044	2632	cmd.exe	36
PID 2632 wrote to memory of 1724	2632	cmd.exe	37
PID 2632 wrote to memory of 1724	2632	cmd.exe	37
PID 2632 wrote to memory of 1724	2632	cmd.exe	37
PID 2632 wrote to memory of 1724	2632	cmd.exe	37
PID 2632 wrote to memory of 1868	2632	cmd.exe	38
PID 2632 wrote to memory of 1868	2632	cmd.exe	38
PID 2632 wrote to memory of 1868	2632	cmd.exe	38
PID 2632 wrote to memory of 1868	2632	cmd.exe	38
PID 2632 wrote to memory of 2856	2632	cmd.exe	39
PID 2632 wrote to memory of 2856	2632	cmd.exe	39
PID 2632 wrote to memory of 2856	2632	cmd.exe	39
PID 2632 wrote to memory of 2856	2632	cmd.exe	39

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1044	attrib.exe
1724	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\259458132.tmp
  C:\Users\Admin\AppData\Local\Temp\259458132.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe C:\PROGRA~1\COMMON~1\62006.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\LK2X5D8\707.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +H +R "C:\Users\Admin\AppData\Local\Temp\5d1e190799c05d109e1bd7256dbde3dd.dat"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +H +R "C:\LK2X5D8"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1868
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\5d1e190799c05d109e1bd7256dbde3dd.dat" /T /P everyone:N
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\LK2X5D8\app.exe
    C:\LK2X5D8\app.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2192

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LK2X5D8\707.bat

Filesize
292B

MD5
3205538cd3c45ce60f815c6cf3097d82

SHA1
c9b5d37ec9d1ad99ec487019e6d0bf872ed7e40f

SHA256
5a3e01110eaf7b7408bdf58e48a4c097f228a91d457438c0f5fbd85d891c1edd

SHA512
9132046fa09e47681b75212b4356fd2c201914eb938e569f4a5e3efea19d2b87540ea94f221c6a27e686a085bbf46d27fea3dc8c462c4773ba8ba124037c5933

Download Submit
C:\PROGRA~1\COMMON~1\62006.vbs

Filesize
8.3MB

MD5
ffa8bfd6e39a3c1fb7b5102ac3960bd8

SHA1
cdcd004a4a5e4e2a359d40a258218f8e4a630a78

SHA256
53989131d61f409552dfdf15d124d37f559c6dbe983223c575d456cc2c704a2d

SHA512
50ff2ebcc85e21759543c0b2ab5bbb43855026afbf700dc9e04d71d6216d99057a8292e09471b0b8b019c3368ec46b4ba53c0f93632f504279e509aa4ac349ec

Download Submit
C:\Windows\SysWOW64\bak8011252.log

Filesize
47B

MD5
18f104d291adb11c18ae278fa77d0631

SHA1
f2f6e6e76c70f5620abd029c8bf858729e6401ee

SHA256
57ee3b64e40fa4ceb52ff6ecddc6da5e09103a89f999a1242932b093e8799957

SHA512
310f80c4041157a6466113fadcd084592000c1f3fa123358b09e0a23c09ebfa9bb9448532fd9fabff7f9c63f484253233e36258ab11ee5c36cb20d4766068641

Download Submit
C:\temp.jpg

Filesize
9KB

MD5
a79844384488e56529a2674a93f3f4fa

SHA1
a18a11e226aa6277b52dc164235b2dd2b9ba6b45

SHA256
5e26746f8e4db0c10c96c7f48bb7f577b5422acd0d711eb04674ecc00691c57e

SHA512
6bc41d481f0a4afba4efc37cce3de1ea2cb33f48cc820da7103a5b41adaf6d3b6b8241cdcaac71c552d287d356edf44aeea73a3e03238677ad19e2eea6a0cd54

Download Submit
\LK2X5D8\app.exe

Filesize
15KB

MD5
c8c7f7472e5c059cbcc99d1eedd0d1ae

SHA1
10013a17639887f8c8ee2b37ec111352b9102832

SHA256
066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

SHA512
82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

Download Submit
memory/1568-2-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/1568-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1568-41-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1908-1-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/1908-42-0x0000000011FF0000-0x0000000016B41000-memory.dmp

Filesize
75.3MB

Download