75c562b3f533a9390ae7c772cec26eb6b7b2aa14a42941e42ba688135d981db1

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 02:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe
Size

2.8MB
MD5

d58af6f38abdc852568c4894406e83ad
SHA1

3696b48c4e3e8f8271dfa89aa153b2e16c8b3677
SHA256

75c562b3f533a9390ae7c772cec26eb6b7b2aa14a42941e42ba688135d981db1
SHA512

28a337a89b5b1d86b7c067729b7769ca319bb6588396f0fc8f8b8646238064dcf780872f40779796ceae6ebea10b0a1519dc582ac5cafdc5e4c0b23ecb20279e
SSDEEP

49152:++fqU1p1m2606SKCsl9E/dud6J5YpTDRvnHwFwIpuHkHnxXkkhrVCkRoua:++fh1p1B6069l94zmTRwFwIp0kRXkkhK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2580	sexyss60.exe_tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Keira Knightley Sex-E Screensaver Uninstaller.exe	d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sexyss60.exe_tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2580	sexyss60.exe_tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2580	2544	d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2580	2544	d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2580	2544	d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2580	2544	d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d58af6f38abdc852568c4894406e83ad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\inst259433094\installer\sexyss60.exe_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\inst259433094\installer\sexyss60.exe_tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\inst259433094\installer\sexyss60.exe_tmp.exe

Filesize
2.1MB

MD5
e9dca19e7774440e743acc55a39f4fd4

SHA1
eeb741d4848eb4669ac5a0a934392e82f51c116d

SHA256
07ca5780cf54ec7f8356482c17394750b115bdbdd03c9d57513b1b0aeb45cd2d

SHA512
1e2da0aad390c0c1228d63547e815491624c42d51bb424b1637372ec1bdca652afd5b960b7cb159f7bed5d2a81c17a790ddabba5a3dabb66b5114f11b7751ae6

Download Submit