6f01fdc45dd5cfa5fcc02cf8e9f819979a7653f0e0704aa6dfb90e58f17b0a22

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe
Size

135KB
MD5

d6c6359592a83e5da9946e1ab11476ee
SHA1

b6a8e9f610e235754c5372476fc178b52423fe3c
SHA256

6f01fdc45dd5cfa5fcc02cf8e9f819979a7653f0e0704aa6dfb90e58f17b0a22
SHA512

c56ab5df22338de2380a5f6aa29d4db7fbca29ea6bd6cb16059acfcae11d979a8b2e024bacd426f00a11a79a0cf7add6441240d1a611958023aa06efe1855ca8
SSDEEP

3072:e97HgvA7LsCiud4wqApzWh6rfEqeMy9Iout:27Hgv2IfuN7pjE79IoS

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	proxysvc32.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	proxysvc32.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe
2100	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\proxysvc32.exe	proxysvc32.exe
File created	C:\Windows\SysWOW64\proxysvc32.exe	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\proxysvc32.exe	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\proxysvc32.exe	proxysvc32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proxysvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2544	2100	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2544	2100	d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2204	2544	proxysvc32.exe	32
PID 2544 wrote to memory of 2204	2544	proxysvc32.exe	32
PID 2544 wrote to memory of 2204	2544	proxysvc32.exe	32
PID 2544 wrote to memory of 2204	2544	proxysvc32.exe	32

C:\Users\Admin\AppData\Local\Temp\d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\proxysvc32.exe
  C:\Windows\system32\proxysvc32.exe 500 "C:\Users\Admin\AppData\Local\Temp\d6c6359592a83e5da9946e1ab11476ee_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat C:\Windows\SysWOW64\proxysvc32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
136B

MD5
bfcf9cc6d1c37953dfa43312e2c36140

SHA1
07a4c0f29b282c34be24c312c4b920e479f4cee0

SHA256
bac7cce52aeba3a2e2ce2bb6aebf50ffa65530d0d51ca49a2abc7f4e43ce3ce5

SHA512
fb661474557e7168d4050607863b57649fa12a26ab9bd06078ae3254d003d76cfed4eac3d0a78a56eaf0ecc5b231d52788b6c8688cb14b0c86a37efe90f5f53a

Download Submit
\Windows\SysWOW64\proxysvc32.exe

Filesize
135KB

MD5
d6c6359592a83e5da9946e1ab11476ee

SHA1
b6a8e9f610e235754c5372476fc178b52423fe3c

SHA256
6f01fdc45dd5cfa5fcc02cf8e9f819979a7653f0e0704aa6dfb90e58f17b0a22

SHA512
c56ab5df22338de2380a5f6aa29d4db7fbca29ea6bd6cb16059acfcae11d979a8b2e024bacd426f00a11a79a0cf7add6441240d1a611958023aa06efe1855ca8

Download Submit
memory/2100-0-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2100-12-0x0000000002500000-0x000000000259F000-memory.dmp

Filesize
636KB

Download
memory/2100-11-0x0000000002500000-0x000000000259F000-memory.dmp

Filesize
636KB

Download
memory/2100-15-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-17-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2544-20-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download