e61832710087de2acdee37d7125f200832d03718c557c9a251cb98b70b0eaad6

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
Size

9.5MB
MD5

d20bffb826a33b459adcb7c250097780
SHA1

27131f7fa1daeefd5daf4fec7cbf32e84c232dc3
SHA256

e61832710087de2acdee37d7125f200832d03718c557c9a251cb98b70b0eaad6
SHA512

caf678056bb65a1b12a51e2c16c2d12cb3fbd44508bc24e04ddbe5720300aad0980a472b6aee9d54ebbc755d43dd0bc9ed774ef2c443dc95119d025ef3b74f10
SSDEEP

196608:jhk3T2N9+x+57GOJODOXa9G7Hd7i0sPF69k7hht:j+Lx+JGOIOK9G5uPF6knt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	ISBEW64.exe

Loads dropped DLL 7 IoCs

pid	Process
2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2720	2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2720	2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2720	2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2720	2876	d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d20bffb826a33b459adcb7c250097780_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\ISBEW64.exe
  C:\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C236FEB-9858-4DF9-A73B-61100F8A86AA}
  2⤵
  - Executes dropped EXE
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\skin7427.rra

Filesize
1KB

MD5
429a7e5a6311c997c3e5c88d9b7316d8

SHA1
8c648624efef58e5c6f4b4c1a911433b0722ed62

SHA256
a24ecd2e091fb456de7e78f45016d7f441e7da835586ecda9123cf9aa042a798

SHA512
bb050fa27a73300ad172f8c5f96b57ba2f70ba7bf376744c979310ac445cfc54e515dcf7df67d355d394168cb7fae0b83227ba2c33ede7a2803b56f9662eb8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11B9659B-B42C-4BF7-B915-563B5AA75F89}\Disk1\data1.hdr

Filesize
14KB

MD5
370794794da1a7b4e4ebe86e742fd834

SHA1
d02bbe2afc0626d021e4d389561ea15fb7698990

SHA256
1e7f2b9b8cfbdc31043ebcbf3395c1a0d27971dfe8777400c97e695dc25e2170

SHA512
cd3a33f342fb66efa98271809615947a6bab499fc1a5134e4e5aecb09302f9bf50430d2fdf32083d2347a9838f08dbe3401f9243c3783de5df836d4451848aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11B9659B-B42C-4BF7-B915-563B5AA75F89}\Disk1\setup.exe

Filesize
384KB

MD5
bc49243557991ac42fcc01b8e3bb05d2

SHA1
a7e88e8d743ff63e0c45332d27b0a502101e190b

SHA256
1e3bae1ac3aebb97580a63787f321a3f4004ab072da7a3cd20eb1c4f1ccbcfa7

SHA512
290274e0b245797a6dc30e08a4aba7095f59eaf0124b4bfe5817a657243fc4cdd57060f2985f7c3bb586425cb58f419f1d0c45e18f8e5650484dc35381ad2a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11B9659B-B42C-4BF7-B915-563B5AA75F89}\Disk1\setup.isn

Filesize
239KB

MD5
540f29e449a1e194f540fa1f6879ba19

SHA1
ae9483ba4e6e3097feb3886be9389470186cb4e1

SHA256
ea32b73793e8dae01677f60818643d4096018ed6073f2cc6e858988a3fb37f5f

SHA512
9b8599d1523cc8864b94107caef84fd761f599dbe8abcd1dcf1edaf2f93e979f87dbfaae0c6d7bbd3905712ea0f4a7e9d9cc45709d8302a09d1cd419fa4c8a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11B9659B-B42C-4BF7-B915-563B5AA75F89}\setup.ini

Filesize
487B

MD5
ec780964ec1db2453d6be196b5a9d66e

SHA1
f0dc52605d640c64745b8f40645c0ac97c0c0df1

SHA256
b13f467f8d757c4728148e8afa070ce05bb2c9dcc3a673df87dc9df63eece579

SHA512
5f16bd64b5448c32c4c109520f567060a9936e17f1db60be84446509a9e76bf5a402c0c347c25418ef8b55ef98b6b0ccd96e5c777ad9e6c17c672400556ba463

Download Submit
C:\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\DIFxData.ini

Filesize
86B

MD5
10baa5b67536f4433f37534b9c8bb828

SHA1
82e5c34b1279afda223b639b49078d03c52875f5

SHA256
1b9fd5c1f18357bd459be20bfcbf47ee18fa0c5d5cc42f6aed2705d5868b65f4

SHA512
49c6798ebb3b6137cafb78b88350d02094367523dcf8f9e580de1941e514b8b3df786d1d817090e5dab80ac4d0d015796b2ce28b296db31d111e0d0bbaeebb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\FontData.ini

Filesize
39B

MD5
00f313e3e007599349a0c4d81c7807c4

SHA1
f0171f15aab836a1979d3833e46b5e59e4ea32e0

SHA256
766ee687d90b0217eb41cb85aca04375bdc24db986a33536631f864b7ce1a08a

SHA512
8bb25a62c0b1640dec36403a493ed54c05f7cde7b7357c8faea785a79c4b76bbe6a3d6fe78db52b558a37abac90c2b2e8b13868a76294554d51670e9fa8764ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\VASData.ini

Filesize
30B

MD5
b16ff78e4420d4049da82fffe3026d31

SHA1
612be1fde59d3d4534a4d8e0947b65060ed6146b

SHA256
029f695d7a558a0070bdb42c07d35c7ae436fbd0688079b7ada58093505d9579

SHA512
8042f5a1f12ef644b7def42c52c90a252ff4a6c099956530cff8147daf2edd8934f5bc79bb560f550d47755fead71a1d0fbe7d52fdc0fb30a0ad64471beaaf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\setup.inx

Filesize
255KB

MD5
940c6ad5bd8b78f7bcd5989912a5867e

SHA1
633f3d744176b2df19735c3c69ff307702a2d79d

SHA256
416301fadfdb43c58d87c1f6195db99f96287da9fad74e1818f7f3a652bd5358

SHA512
a50c8952d3f36700255845a33bb6d130947d25785eb1d035c4b3584f412b158b8a56a7361c29ae917cf73888ee051e3dabb597dd1089d272387f09f7368abec0

Download Submit
\Users\Admin\AppData\Local\Temp\{11B9659B-B42C-4BF7-B915-563B5AA75F89}\Disk1\ISSetup.dll

Filesize
542KB

MD5
2dd1c4a68e2a8a401018f5efdab5adde

SHA1
13fc964947516230c70d38281d0312bc1afe13c0

SHA256
7c173cdaea8e3a3cc95b7196681cb904f3996f81289d5890b30f38c99eba45ae

SHA512
c69f3e46d36e07e6093f66cf072c83fc8c7249ff86c9cd84168ee46dbb7a621d562cee7de5685b408bd5f71889d6433e99ff8045955e5b8ab2c9eeb71941d165

Download Submit
\Users\Admin\AppData\Local\Temp\{11B9659B-B42C-4BF7-B915-563B5AA75F89}\_Setup.dll

Filesize
145KB

MD5
0d3f826d9467179b3d03feb31314ca63

SHA1
530d0fc49c93d7c84e0a7637f4a8c1639b80b1ba

SHA256
7d259642019033a6630208c28c096c03c8db8b68c1c35ac73a675e6eb7707d86

SHA512
295169fe2946a39f5aee1430a5d3cf8bccdae22b578cf1f3e907c8abced329d0627a4b8359e5be7161aa3785f81352fa90001a2acd35f21ebc50ccab010c59cd

Download Submit
\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\ISBEW64.exe

Filesize
114KB

MD5
2a276ba2b7782476302c59d0f760f4bc

SHA1
43bbb884a7b65534c417ae5a3f3f17f7e80e2f7d

SHA256
d3294cc8c750c4bd63016e87e9d2c53a501c173567f4edb9a3c6f1bd9836064a

SHA512
6bed8d3291ed422aed187637838bfb957ea59c772be3bc52c12242474712f411e174afe55ed6955b910a8ce3635f1552260063cf6db428a4e34bc76a4e3e01f6

Download Submit
\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\_ISUser.dll

Filesize
16KB

MD5
5bb860da3698bed7a360b1ff3a4219f2

SHA1
bff11b1fbd38352ddde796fe7843d5fccf20193e

SHA256
acbb6413b8368846fc958194dc97ae883b178ec192e3606a74e0866b2c932a92

SHA512
a3bf777b685c5318876a5a9646a27795dbf407cba8048019a75b19bfb0df41c191a90d0885640869eb65a77fbd7e0a8d6ba46018b98a26ccc5367ac1708fe245

Download Submit
\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\_IsRes.dll

Filesize
385KB

MD5
33f898677e78b00543cbd351ed5b61d0

SHA1
6dc725e9c0a7c46f8a93694db27bd1e47a2e6155

SHA256
9ce56dc8ad52a4b4eeccddba820fe051a06ba446cdb1074424012b83c9ed6346

SHA512
08d871909825c903aff050cd304da1848ab19221776a4d58c8f6e4fc26ddd0c3f58dbfc5fe6d0c48ee4a52125e0f39ef0252963e1b92a73aa0ce9ece8263e0eb

Download Submit
\Users\Admin\AppData\Local\Temp\{44109FEA-0689-4264-A0C7-815F6D655A59}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\isrt.dll

Filesize
217KB

MD5
0f68d760fb480a1b039ca7d6b877d24c

SHA1
259d101a49646c3abe17114111ff9aa7df1b8fc2

SHA256
5974ce20a780d384383cfc24af4dc62bc22ca67ce1d76ea9981c42631480ab63

SHA512
d551553ceca5b9ba86f7422893df78ce71167096cbeae65319c344abf57601e8e6c8f9779a9a45ed28ce32c3e1c477b843d8ad4437e0643c0fabf56ab7f586d1

Download Submit
memory/2876-245-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/2876-47-0x0000000002260000-0x00000000023FA000-memory.dmp

Filesize
1.6MB

Download
memory/2876-243-0x0000000004190000-0x0000000004218000-memory.dmp

Filesize
544KB

Download
memory/2876-50-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2876-411-0x0000000004190000-0x0000000004218000-memory.dmp

Filesize
544KB

Download
memory/2876-410-0x0000000002260000-0x00000000023FA000-memory.dmp

Filesize
1.6MB

Download
memory/2876-412-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download