5df61ec2976ec81eec878a51a68b9591640c40119b189d15fb21e440f92255d5

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 18:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe
Size

1.2MB
MD5

d6e7bcd08eac45e6a47176c555b2e282
SHA1

b6491468adb7e68c0b0e7e65610da987d917b3ca
SHA256

5df61ec2976ec81eec878a51a68b9591640c40119b189d15fb21e440f92255d5
SHA512

8de08cd0c204c144789372372ac73ee51b6e33c1e32be1e0c7132afd23b1f80b353eaa2bb27c70ed257f5e8559047c20ca8d8e7cf8f67cd603fa3b20beeb3481
SSDEEP

24576:gT5TPKfDG4WAlkkrQxzcVgqJJ809hbIX0GoilawnjNV:gdefa4Wp2Q9cVgqU0bIX0G5Nnj/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1292	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.tmp

Loads dropped DLL 3 IoCs

pid	Process
2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe
1292	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.tmp
1292	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1292	2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe	30
PID 2052 wrote to memory of 1292	2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe	30
PID 2052 wrote to memory of 1292	2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe	30
PID 2052 wrote to memory of 1292	2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe	30
PID 2052 wrote to memory of 1292	2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe	30
PID 2052 wrote to memory of 1292	2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe	30
PID 2052 wrote to memory of 1292	2052	d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\is-GGCK6.tmp\d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GGCK6.tmp\d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.tmp" /SL5="$4010C,753259,71680,C:\Users\Admin\AppData\Local\Temp\d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-GGCK6.tmp\d6e7bcd08eac45e6a47176c555b2e282_JaffaCakes118.tmp

Filesize
1.1MB

MD5
dfb7304d96f8f1c29fda2748779663d7

SHA1
1d836df6a5373db4edde087f31b61561e7f071ca

SHA256
f487faf0e64abf18eb5c0b6f79f410ee96a1e1c6dde473f2bd3ffabf05812027

SHA512
c8455c34d47ba88ecaed794aba0d093b6c813e7c0e061453fb535f5c1c1287f2f52520899456d067a225ea3cafdf598176a78f9f317c25a32c30fca0270c2d7e

Download Submit
\Users\Admin\AppData\Local\Temp\is-OHODG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1292-9-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1292-21-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2052-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2052-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2052-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download