3df8c6397421ca385bf7a48e87e5c9c90ddb922b6abc36443fc4fa7475815f5d

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe
Size

647KB
MD5

d6259cad7dba6846db26cae312080a78
SHA1

c8fd90bae4d99f500bd988be4fa704d93f0c5725
SHA256

3df8c6397421ca385bf7a48e87e5c9c90ddb922b6abc36443fc4fa7475815f5d
SHA512

2385bd582d409398a1cf35aace08cc483c14cc5bf7fd792f17d3075a4a6d528041b8735b83c841b252c149da7773fb2a4c981535e67080c6640b8b3068726402
SSDEEP

12288:QEdfhvF9L92SyaQCN85OsgC1qBcVUfnTa7v:QElJ92RzCNFDC1qBcYuT

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe
4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe
4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe
4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe
4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3788	ARP.EXE
4880	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2652	ping.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2652	ping.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2652	4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe	87
PID 4948 wrote to memory of 2652	4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe	87
PID 4948 wrote to memory of 2652	4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe	87
PID 4948 wrote to memory of 4880	4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe	96
PID 4948 wrote to memory of 4880	4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe	96
PID 4948 wrote to memory of 4880	4948	d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe	96
PID 4880 wrote to memory of 3788	4880	cmd.exe	98
PID 4880 wrote to memory of 3788	4880	cmd.exe	98
PID 4880 wrote to memory of 3788	4880	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6259cad7dba6846db26cae312080a78_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\ping.exe
  ping 192.168.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /x/d/c "arp -a 192.168.1.1 > arp.log"
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a 192.168.1.1
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X33104\arp.log

Filesize
23B

MD5
65936aeff0487ddc4150d61166caceae

SHA1
3a48b73acbc53d7195f74a7cec0c1211eeb54cd7

SHA256
0800df731c50b055ac4c2b331b87253bb13bb0f3de47d308cb16932e07e1a57c

SHA512
9c61b77e18bd3367e8a70c048c5761b85a5c9b412246f106be89e8ae3b78d3029f1143adf9f9a67a3b7d9939a9115994ba6ac2706782fa8cabebe3d3a9bc9e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\X33104\perl58.dll

Filesize
784KB

MD5
d6fec475513d165261d38743a490dfc1

SHA1
b593136ed5bc0167e6715a41c7abf70603f40361

SHA256
fa9cd43d0b09f2352063f2790a49af51615ebe735eba53417129fc04dd5e7b73

SHA512
5f56183f1b3b919d526d446b590d70f2e75338305a1b373ed04cd6a1388a345aa99667527f74ab08b651109d41e150d8ba639fa540381372f5578c8fee3c9e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\AnimGif.dll

Filesize
9KB

MD5
11e94fedb34f46458f9dc773a91f2770

SHA1
791cf30880c74df9d6f7c1e637e4fdf5fa88b38a

SHA256
54ccdcb42fb3e63b7a55e8c0e7d12182a0338ea38b106b793ca048000a189ab5

SHA512
57dd38bebdd7d8fbc4b3daeecabc5c2617d4f5b2f6ad2396a702f1da362bc72deacfea2dd1550b0e00269188676324e1b7dd6ed372211c8bf664af824ac8d950

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC38F.tmp\nsPerl.dll

Filesize
8KB

MD5
9fbdcc2cb3091c971e51212fc7e7a88a

SHA1
1bc182d2ef4eca262545bf1396e0606a87145470

SHA256
02bf98fab06aeff739d5182e147f5f5585be11f94eaca683eda495d5435d9ac9

SHA512
b270278b9ec39232eff74dfbed2b2a36a3bd3755a99c5e35aa85d217a4e72bd9b2ee0de5e3c7170c7f06a4c559dfd252a6d351f79cdc41059053770806ac8e9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads