e78605316d5b748c05787c6858ecaba078f6cefad766e00c6a1546b13383891e

Analysis

max time kernel
128s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe
Size

32KB
MD5

d3987941cbfbbdfcdede065d03165ea9
SHA1

ac58ed35605338907218194663db0f600574b926
SHA256

e78605316d5b748c05787c6858ecaba078f6cefad766e00c6a1546b13383891e
SHA512

9ef157620d4523cb5cc8b7524a2b9b2f3aef954d39cb641e89e663db4e1d7c76efb52cff2c2a2dcc11c9546b193ad1a2432073e77dd0fdd2931f2360a9359a0e
SSDEEP

384:SgGjnPPDg/lJLjAQ4hDdH31zvtGI0hLjkKbYED948whZ:SlnPPDgt1jAQWDvzvgBtyZ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe
2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe
2516	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe
2516	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2516	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2516	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2516	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2516	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2792	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2792	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2792	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2792	2032	d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3987941cbfbbdfcdede065d03165ea9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1308.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1308.bat

Filesize
153B

MD5
87e3556ac4a2f901a78f51acf62e4ede

SHA1
6fa1656402b540af96cb8ebee74dc392a513ad66

SHA256
e7b073207f05d57beac84f48096a7a96a1cf4f508217bbb67deaee56af4809f2

SHA512
cc487a2ddc83dc2c79b0754b1d9ad0f6a02733df9c56b50fb7eb43c36bc6ee88c15104889c35dc33ef29d12f36ea78fb35a47c756cc1dba1b06c571d0f0a5688

Download Submit
C:\Users\Admin\b.exe

Filesize
128B

MD5
f09f35a5637839458e462e6350ecbce4

SHA1
0ae4f711ef5d6e9d26c611fd2c8c8ac45ecbf9e7

SHA256
38723a2e5e8a17aa7950dc008209944e898f69a7bd10a23c839d341e935fd5ca

SHA512
ab942f526272e456ed68a979f50202905ca903a141ed98443567b11ef0bf25a552d639051a01be58558122c58e3de07d749ee59ded36acf0c55cd91924d6ba11

Download Submit
\Users\Admin\svchost.exe

Filesize
32KB

MD5
d3987941cbfbbdfcdede065d03165ea9

SHA1
ac58ed35605338907218194663db0f600574b926

SHA256
e78605316d5b748c05787c6858ecaba078f6cefad766e00c6a1546b13383891e

SHA512
9ef157620d4523cb5cc8b7524a2b9b2f3aef954d39cb641e89e663db4e1d7c76efb52cff2c2a2dcc11c9546b193ad1a2432073e77dd0fdd2931f2360a9359a0e

Download Submit