45020761fcab0709a1408f1c3d78bdeee8242f191d332a2a22f069023fec8177

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 22:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe
Size

3.7MB
MD5

d73ad21a5d680fde25718c85fa06f211
SHA1

c2ee6bb45f38f20091a94ec8e0c67eb2ecf1db05
SHA256

45020761fcab0709a1408f1c3d78bdeee8242f191d332a2a22f069023fec8177
SHA512

9394bdffd3eacafe45ad7f602219fcd23f4865deb48733f438b3a294a4a70af5cf6e949de7ef8415aadce217f3915b8c5c78b4e8130389839b2b4cb482272f9e
SSDEEP

24576:mxPBBgnnPjwMr2o2xPgiZjpefwNz2oqQMr:mxP3gPjwRosP7ZVQw92oPM

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1932	ROMUpdateUtility.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe
1932	ROMUpdateUtility.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROMUpdateUtility.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1932	ROMUpdateUtility.exe
1932	ROMUpdateUtility.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1932	2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe	30
PID 2668 wrote to memory of 1932	2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe	30
PID 2668 wrote to memory of 1932	2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe	30
PID 2668 wrote to memory of 1932	2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe	30
PID 2668 wrote to memory of 1932	2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe	30
PID 2668 wrote to memory of 1932	2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe	30
PID 2668 wrote to memory of 1932	2668	d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d73ad21a5d680fde25718c85fa06f211_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\ROMUpdateUtility.exe
  "C:\Users\Admin\AppData\Local\Temp\ROMUpdateUtility.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EnterBootloader.exe

Filesize
237KB

MD5
4c0a71b217d90d82bed9d426787612cc

SHA1
e9d8d4b65c19085f11cb08b7278c4addb0f1b7ff

SHA256
a0878833e62647f590bc8091e0b42b81f11220e64244bf7bd0015598a3c1b2c8

SHA512
3b9f1a9d24b71f924bc1b45d27cf88cb863862d789ae064ed6fe97848adbdd78ccee64e126b53d44c83b142dfc45cc3ba3299c944fa4ba0b4ccb7f16260f35df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorBattery.fig

Filesize
93KB

MD5
53d61563128d6fe848bed8f427e68711

SHA1
46993982d12ce42f3c8b5d10fd9ffd22d019b335

SHA256
95e2cfc94c70573a2b736f00ab0e31fd9b9d2018d9d152116c6c895fe0f80b8e

SHA512
275730f72f7025628f89f4725026e78a9685b50e4e41f1d84c6f35dd52a0324fa65da446002551a050d00d194d825ab03a72718e98ddbe46a1b166d545bb3ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorUSB.fig

Filesize
138KB

MD5
e1c99e298e030a620dda4ddd23678378

SHA1
ff31acdbfc394bbfb2cd8eb20d7e7a92cdc29f1d

SHA256
7f84d835e29fc94ba6863c210427e6d05ed329e767fcf6c5a0d9b3be5ff8626b

SHA512
2da13aeb0e17ee1841e76ba8794a2aea5d8cbea75dff11f08b3439d8f2f4b22c3ece5ed6f49f80e2150a2c19c4895b6b1c321e7de6b3d56a16bb200609744e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModelID.fig

Filesize
208KB

MD5
2ef3e6a76daf254085a9598185889c59

SHA1
e11975a24e3fbe55bf252fc49d8e16470c41ef96

SHA256
8eed6a9d8793d3c25dd947cab746e1f338f226c17eb270e85dd124ca1decff09

SHA512
de1f6c56dae190792754552026d71aa9450b479cc74fb7e6db012a195562d7a0041f098b3c5e8a433d90717c7c45ae78d73291e46a2ea374a165b1dc2a632470

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROMUpdateUtility.cfg

Filesize
13B

MD5
e91eb770e2ae5feb91f27fc68e866395

SHA1
f9bfb2211431770667f33563c8d2978a5657e7d0

SHA256
0cd66e4618a1aacf87d8c5e517585e4e794e7ceb359c04f1e45332f9fbcafdf9

SHA512
c3c24d3af28fcfd69fd7ef775b4d74a6c0656b00fcc0526b10922e0b9e637a63172ce2d0593dea08f7c992fd79de499e37f49235ac4fff62ddd6d2de0972d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUUGetInfo.exe

Filesize
13KB

MD5
05a1d67fffd046672e922846508ba5bc

SHA1
19446c3606b0cb665f5484682d1e3071f444b5bc

SHA256
50a414b87aefd0dac43006eb6be7625b7b000b0864e97dc16bd41534eecdef0f

SHA512
311c712ca730bf1a4c40c66a40ba040adef60f9d786f88b5401cb4dbdc56c8dc7f94686e5bdf56cdfe8310283715bea03f453f1371205ada7e617bc0244d7bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUUResource.dll

Filesize
1.4MB

MD5
e7124aee062ecc7baba679dcbbcf84da

SHA1
82f3896e7209bcc496b0d23dfcecc0fd51e7020d

SHA256
fde28954bd12b4cfc999e91134c3b2dba2849984b88d68ef18ed729030b6dd1b

SHA512
4c0b7ed4a38203a6c6022963d4b2dfc8bc043e9d9995290d9e79e5d95b3b14240b9073cfe32f0d8d2bc4489a0f71a6a3183a4f94b5a71895a589944ee25b35b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rapitool.exe

Filesize
171KB

MD5
b8ecf00387346d8617065c06ced04317

SHA1
1d898e8f4e4488024b82a7b1ff49514862912db6

SHA256
275578ee82c8f25b7c01c9c6cd6fd39d422ff674397b6872c0621c9c0067511d

SHA512
742bf745b37117801c8a4892c7b4457013de2f10af5e438bdbe4ab2dc5d0695fcbc94e54054e64f457b50b2b78529e6e687234a915300f618791c5b3d4e87dc1

Download Submit
\Users\Admin\AppData\Local\Temp\ROMUpdateUtility.exe

Filesize
1.4MB

MD5
16efd6906ee87a9661e4ed99c47bc398

SHA1
7890cd000bb95556331c2c1c5cfc06a5249ab5d8

SHA256
1e74591944e35f0b3ab9de6fbacd0369af8dbc3492c961a8cbe39de48dbafd94

SHA512
60db41b601e9659219e20792944191a90489d5dbe81b89bab7d5f98e89013f457508599e582d53926652f26018128183fc63fc72cce4a54763c0ee6ab604d54e

Download Submit