9e0114ab8f510a607f2c65d2f86b686d92822592f7767fff258aa4645e636714

Analysis

max time kernel
49s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe
Size

521KB
MD5

d6d03c96da4193b37ea70b0387e03e3d
SHA1

86cfec570afdd67d09e1f0866fecd21320897cc3
SHA256

9e0114ab8f510a607f2c65d2f86b686d92822592f7767fff258aa4645e636714
SHA512

d5f9c0bde197bea1788736e8d62933bdd2fa0b65e0be806d691a1353768e20d111c190cd8947baf26ea63dad81964ed893db56ea98d80ca59f43046e2c412b4d
SSDEEP

12288:+ylIvHucpkHuX6J65ZBGpTDk/hUOtYyUmr9yr5k:dOvHkH66aCg/hvUIyG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2096	stdrt.exe

Loads dropped DLL 4 IoCs

pid	Process
2260	d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe
2260	d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe
2096	stdrt.exe
2096	stdrt.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stdrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	stdrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	stdrt.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2096	stdrt.exe
2096	stdrt.exe
2096	stdrt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2096	2260	d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2096	2260	d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2096	2260	d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2096	2260	d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\mrt8F73.tmp\stdrt.exe
  "C:\Users\Admin\AppData\Local\Temp\mrt8F73.tmp\stdrt.exe" /SF "C:\Users\Admin\AppData\Local\Temp\d6d03c96da4193b37ea70b0387e03e3d_JaffaCakes118.exe" /SO94208
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt8F73.tmp\KcActiveX.mfx

Filesize
288KB

MD5
15b3c3bed1181261e8c75f3a737c86a6

SHA1
16d55b62d9ac287eab04583d65f71a0753a61ae3

SHA256
af920de169c975d5ab9cb407a454c60723c7f6ca5d24ee0e229aae98b93d6aad

SHA512
5099044f9aac7364d2154ae6d17aa9fc1f3b8dd97a2a1806ff40323fbb3c41bc82c839551e3f04e5706ddcfb12743249e185af61f60146591c9c02430825c25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8F73.tmp\MMFS2.dll

Filesize
296KB

MD5
fcdc7975ffb8a1c06d57e78910edc48c

SHA1
3e5d5d580ed6ae95d59d3794dd8e524002901aa2

SHA256
cf973b83ec737c5d9f98c0befec8bbf4f157bfab78388c86a4cbe2327ca91653

SHA512
8cd43b8edeef51a95d54e68d7dadc1c8f01de2c73d1dcfc0d81af4a5b381ea0fd4e05c41509283a6bbbb669af2809fce94546b6fa7eb044037fa0701ea54d194

Download Submit
\Users\Admin\AppData\Local\Temp\mrt8F73.tmp\stdrt.exe

Filesize
324KB

MD5
cc4113856c0bd5a1910f8cc5c37d6d78

SHA1
69621b8f1dfea6e7a0c759033984f0ae8319c118

SHA256
0457b7a73873892eeae4871f9eb8bd16ffc33e3d61b77e04c150ccbb11a1dcbf

SHA512
0692a5d220a6059da9be53251b7793a3c18af5e59d40390b7ba269e9344862e96f5e18cf56d33393dd7732495f382fdc8f55af83f81452dfd2ec20d058b60682

Download Submit