09836b9e8b448fb1b366782468c7a1b0ee4f94d76b8f83113b0c406b4812bac1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe
Size

4.4MB
MD5

d1fb64e7bae9956e7acd17569d86d6b4
SHA1

6f00ae07b018e1109cadb50906edc352335ebafc
SHA256

09836b9e8b448fb1b366782468c7a1b0ee4f94d76b8f83113b0c406b4812bac1
SHA512

5fbf36ce85ba9e254f267eb83d6821b924c8dbbecbb8844755541a3f4d8f42975af8a1c50d4d70e2692bfb9028e96b30f7302b0b03e5a456a9cbcce94db728d7
SSDEEP

98304:AVlt6e/13GubI7bnFap+Ez4hAOpsumXOLBu6RvMGGQ:wSSZbI7bG4KOG+LBjMGGQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	StartHtm.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\starthtmWeb.ini	StartHtm.exe
File opened for modification	C:\Windows\starthtmWeb.ini	StartHtm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartHtm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1900	StartHtm.exe
1900	StartHtm.exe
1900	StartHtm.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1900	StartHtm.exe
2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1900	StartHtm.exe
1900	StartHtm.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1900	2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1900	2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1900	2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1900	2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1900	2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1900	2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1900	2116	d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1fb64e7bae9956e7acd17569d86d6b4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\emnl-win-mb2000-1_10-jcd\StartHtm.exe
  ".\emnl-win-mb2000-1_10-jcd\StartHtm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\EMNL-W~1\manual\Japanese\EGV\1.1\EGV.cab

Filesize
1.9MB

MD5
3ffcf8e063d455ea43f84a95ba39f41f

SHA1
4426819a8477e7dd20595a97bca33cb370143121

SHA256
ad9bd9f80f656c9049a663cbae13ed18a8f951e770f5a4ae4625f28c8231c340

SHA512
5173ac4c1682dc76e388c819e2c9f825d7a78a4f03b7e3290e25c922c11f99c35a0a491e46fcdeb3b91180d96bd540536e70c45b23e91f8081932f36b757ba7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\EMNL-W~1\manual\Japanese\FAX\1.0\FAX.cab

Filesize
466KB

MD5
e69f3f27ef6360d473925141f7ac8d58

SHA1
4714e2b72ace7de60e5c8a95b60114d58c40cb11

SHA256
06c00b99cb1d8098e5503deecce0794d9d2df4661f5067d63000cb7d5c42fdcb

SHA512
a81f27c466a58e44431ceb91ab6bf6426ee73d33ff2b589c8dfc4ec615a6cb60e6d6edc5c90f7002026d0378b1a108649a1aa0ea60ed6f5365d824a4db36af77

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\EMNL-W~1\manual\Japanese\SA\1.0\SA.cab

Filesize
5KB

MD5
4024712ff2da866cda32f450a7c17f7b

SHA1
63ca75896b001d0f772738f7c376935cfa020202

SHA256
7ca490d11dc360a27df3f9beb489e5346258c077c99142f668875464b1d5a9fd

SHA512
cfd02b52d3889686475cd0f9ce19e4b00833cb4fe2bfae372d55d437543a9d0ac60100fdf60851f6dfe237202c2a54468379c50a65c4b49b010fe16d99afcabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\emnl-win-mb2000-1_10-jcd\STARTHTM.INI

Filesize
4KB

MD5
5bc854257762266481120111f32322f4

SHA1
c403a9815431e6e0e2acf7d74501d1b909d5488b

SHA256
3c0618bdc04cc7cfe79960dcc6b4ab668c25ada776eaaff2784e4453ba3a1630

SHA512
1653236059e5e30011afef56e1de7a22bd84ba310076bd10d0a74f6c9afc8d95a92cccc3e8d2eb341d46ee705aec5defd39db52e01f3c42b4ea5c520d0b8b5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\emnl-win-mb2000-1_10-jcd\eula\Japanese\main.txt

Filesize
8KB

MD5
f4b1995352179508147534cd8ef2d1d6

SHA1
508592bc744a743e49d4bb9876f98ced85ad285c

SHA256
8cdcead795791e7956816b6128013ddcdf3c9ac8d84ef64d6abfe8562543b0c9

SHA512
dcc8f08e0ac2bbc8aae8f4413dfe30fb937aede4320ed37ec3ac4b96845e45bd2ecd092d24778d8e21e5a339e2be8dce1a734713d67bd17a2e2f639f6c5b0041

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\emnl-win-mb2000-1_10-jcd\message\Japanese\manual.txt

Filesize
564B

MD5
5b01c49e551b5e324bec145c6bf76de7

SHA1
5d7461b8d52e20cbd10acc08109a7aad891cbf54

SHA256
44065a58fdc23dcdf4aabfb315aed2e0e50526fad2897b7e6b2e3bedbbff6dd7

SHA512
3fcd319190ea188348b248b84de5b268ef7478bc2ac1105c72f0a8f810122db1949e42e25120912e9da7d56ac2a1a13d395f1620b65bd8ffe6d351aa47c9ad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\emnl-win-mb2000-1_10-jcd\message\Japanese\message.txt

Filesize
4KB

MD5
1fc70e52f4da0728615876b740a99943

SHA1
9b274a8d411b565300f85d83144359b36ca99155

SHA256
f641a75b965e8d8f5f48110fe09b7c97c6e813321c99e602df07ba7ea656d0ac

SHA512
0a9d565f1a700913d9e9ee6cc42b7c48ea50985b2ec1a04d62eef0a6b64c0a725cd326cb1522159605f8858f1917fd8cce3170cba652e0488b31574db9eafab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\emnl-win-mb2000-1_10-jcd\message\Lithuanian\message.txt

Filesize
7KB

MD5
d3acff88d41cd52877d1a3034bf67b7e

SHA1
2a53189de63768e667f6de0b6c7142918beb52ba

SHA256
156e1fa04e0bd280adc4917b8432e885bb35db8ce18adc762c0757f970a23f24

SHA512
874ade6ec084dc4fe82601f4f45f2a2966881b48ae9b07b1a4fb5b69d7e9124ae9e8d893feba01be100965ff36ac4acf3bd31b4c5ac420decc637cb67a521117

Download Submit
C:\Windows\starthtmWeb.ini

Filesize
246B

MD5
b7a833c25f848052d263646b8b4b0425

SHA1
bc9b8a77d073ec96a7981c5446c5d1f6709d6de3

SHA256
2fabd9e291fe21cc5005627fa6918842bb39be04789824a9dbc6743e02da449c

SHA512
9afd7c684b2022d792b425fdc2437e0715a06a7d60841671503146545b4d30a714bd05326ee687b3c71246d2c35e1fb50030083cabd5ba0383158956cb755b35

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\emnl-win-mb2000-1_10-jcd\StartHtm.exe

Filesize
511KB

MD5
b2abb0383581350d5b2eb644129b58c7

SHA1
45671e5172f33aa29893a0c9212d4c92386808dd

SHA256
3b5b22a5e9ec29f7533a4dc24909181b949adb468962d96bb570a044fb12d7b2

SHA512
d2a18dcb0fdf09d7836fe2cd5e50bef2de7862d5cc52b9c198cd6646f62d2c839fbcea7c452fe520c8660b3531b415c005dcfb4bde07ccff696b13e51d0d09b0

Download Submit