841602e9b3432a87ecb3a38d2c1785937c1d292787e35e2191befa7059ac55e5

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
Size

468KB
MD5

d1061c5a0f24983cfa92eb5ce5fb0d3d
SHA1

617f7044f18dabf4d1bac25819d43df6e6563daf
SHA256

841602e9b3432a87ecb3a38d2c1785937c1d292787e35e2191befa7059ac55e5
SHA512

f0264a318aa50462fa9be21e0462c79fd5a91324f83464ab8f18bf87f65c25d7b0b1577f371a04a1c691d8d4fad71cf23d8b88a651a1a9ef4bae05ca808a34a0
SSDEEP

3072:V3e353scApo2zZtScJyEMJUBvgunWYviL1yeaULeZIKe8czEnB:O8NTzDFpMJUBgxYvipyeTy79B

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3808	240619765.tmp
4256	app.exe

Loads dropped DLL 1 IoCs

pid	Process
4256	app.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bak8011252.log	240619765.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\24390.vbs	240619765.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	240619765.tmp

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32\ = "="	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	app.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3808	240619765.tmp
3808	240619765.tmp
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe
4256	app.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3808	2240	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe	86
PID 2240 wrote to memory of 3808	2240	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe	86
PID 2240 wrote to memory of 3808	2240	d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe	86
PID 3808 wrote to memory of 1156	3808	240619765.tmp	87
PID 3808 wrote to memory of 1156	3808	240619765.tmp	87
PID 3808 wrote to memory of 1156	3808	240619765.tmp	87
PID 3808 wrote to memory of 3020	3808	240619765.tmp	88
PID 3808 wrote to memory of 3020	3808	240619765.tmp	88
PID 3808 wrote to memory of 3020	3808	240619765.tmp	88
PID 3808 wrote to memory of 4256	3808	240619765.tmp	89
PID 3808 wrote to memory of 4256	3808	240619765.tmp	89
PID 3808 wrote to memory of 4256	3808	240619765.tmp	89
PID 3020 wrote to memory of 1388	3020	cmd.exe	91
PID 3020 wrote to memory of 1388	3020	cmd.exe	91
PID 3020 wrote to memory of 1388	3020	cmd.exe	91
PID 3020 wrote to memory of 2872	3020	cmd.exe	92
PID 3020 wrote to memory of 2872	3020	cmd.exe	92
PID 3020 wrote to memory of 2872	3020	cmd.exe	92
PID 3020 wrote to memory of 340	3020	cmd.exe	93
PID 3020 wrote to memory of 340	3020	cmd.exe	93
PID 3020 wrote to memory of 340	3020	cmd.exe	93
PID 3020 wrote to memory of 1504	3020	cmd.exe	94
PID 3020 wrote to memory of 1504	3020	cmd.exe	94
PID 3020 wrote to memory of 1504	3020	cmd.exe	94

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1388	attrib.exe
2872	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1061c5a0f24983cfa92eb5ce5fb0d3d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\240619765.tmp
  C:\Users\Admin\AppData\Local\Temp\240619765.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe C:\PROGRA~1\COMMON~1\24390.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\LK2X5D8\598.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +H +R "C:\Users\Admin\AppData\Local\Temp\5d1e190799c05d109e1bd7256dbde3dd.dat"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +H +R "C:\LK2X5D8"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:340
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\5d1e190799c05d109e1bd7256dbde3dd.dat" /T /P everyone:N
      4⤵
      System Location Discovery: System Language Discovery
      PID:1504
- - C:\LK2X5D8\app.exe
    C:\LK2X5D8\app.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LK2X5D8\598.bat

Filesize
292B

MD5
3205538cd3c45ce60f815c6cf3097d82

SHA1
c9b5d37ec9d1ad99ec487019e6d0bf872ed7e40f

SHA256
5a3e01110eaf7b7408bdf58e48a4c097f228a91d457438c0f5fbd85d891c1edd

SHA512
9132046fa09e47681b75212b4356fd2c201914eb938e569f4a5e3efea19d2b87540ea94f221c6a27e686a085bbf46d27fea3dc8c462c4773ba8ba124037c5933

Download Submit
C:\LK2X5D8\app.exe

Filesize
15KB

MD5
c8c7f7472e5c059cbcc99d1eedd0d1ae

SHA1
10013a17639887f8c8ee2b37ec111352b9102832

SHA256
066bd9a9e327df4422beb4922e49be328db8adc1b7c6fad7e4b5f1c47c5655c9

SHA512
82762abeade3df840095f95f0559a1a6164e62bae3ff74e547df22dc59034b3ac65a540065aba2434798a6d3a8915ac455d564e0ab885333601fffa32e3272d0

Download Submit
C:\PROGRA~1\COMMON~1\24390.vbs

Filesize
2.4MB

MD5
435cd5fa1fdfe99e9e1a52b342bf6935

SHA1
054e9dfc3de7ea5cd2753d3c895a2efc3d24ac1f

SHA256
712a3050cde740c54f707f319d32190d52c6fe5e0e59f1472c168606b14bc7a8

SHA512
6173bdce07208ae82804b96c13901a2e758bce5d6bb67f9580e2b62fbaa668d6f13962b053a401cce49137d0e4d649f898ff3716d8a4f5bcf5646200ccf458f9

Download Submit
C:\Windows\SysWOW64\bak8011252.log

Filesize
47B

MD5
f970e8c203b2bff85eba8face91dc9ad

SHA1
133339f28dea6d20bd5890ffb438f875761658ad

SHA256
80bb30d22b03af098509ef8eed63346149e43def0ce40c2642df7a0b011a2465

SHA512
082a9de7b0ef4e2eb503465e0e66309f05414f3e20aa9f39496a33adf1dab15caf4885d655d98931e7ea6b0b9d08977a4ebaa052c117af76548bf461122b7a8b

Download Submit
memory/3808-5-0x0000000000400000-0x0000000004F51000-memory.dmp

Filesize
75.3MB

Download
memory/3808-24-0x0000000000400000-0x0000000004F51000-memory.dmp

Filesize
75.3MB

Download