45ea17cda42dbb123700c40421be29f9c21ae40395d3ebdf716b7706eb2e827b

Resubmissions

10-09-2024 08:12

240910-j3v7wstemj 10

10-09-2024 08:05

240910-jy5krsvflc 10

Analysis

max time kernel
20s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7d9a82bf38ccdfbb92810d55f99fb11_JaffaCakes118.exe
Size

2.2MB
MD5

d7d9a82bf38ccdfbb92810d55f99fb11
SHA1

05eaf56d92f83b01ea274d9b2b631be7a7c2c244
SHA256

45ea17cda42dbb123700c40421be29f9c21ae40395d3ebdf716b7706eb2e827b
SHA512

3129433837280b921e6958587eae6594ddb4b3d128d7818aafec6ded7da685689beb31e43b54e40105c67316d6e586575d080dad884b7980d667d0c666224cec
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ/:0UzeyQMS4DqodCnoe+iitjWwwz

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	d7d9a82bf38ccdfbb92810d55f99fb11_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7d9a82bf38ccdfbb92810d55f99fb11_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	mspaint.exe
1992	mspaint.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	mspaint.exe
1652	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 180 wrote to memory of 4820	180	d7d9a82bf38ccdfbb92810d55f99fb11_JaffaCakes118.exe	90
PID 180 wrote to memory of 4820	180	d7d9a82bf38ccdfbb92810d55f99fb11_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d7d9a82bf38ccdfbb92810d55f99fb11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7d9a82bf38ccdfbb92810d55f99fb11_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:180
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4656,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
1⤵
PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4616

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ApproveSkip.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
memory/180-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/180-67-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/180-66-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2428-79-0x0000014EEA850000-0x0000014EEA851000-memory.dmp

Filesize
4KB

Download
memory/2428-72-0x0000014EE2560000-0x0000014EE2570000-memory.dmp

Filesize
64KB

Download
memory/2428-68-0x0000014EE1BC0000-0x0000014EE1BD0000-memory.dmp

Filesize
64KB

Download
memory/2428-81-0x0000014EEA8D0000-0x0000014EEA8D1000-memory.dmp

Filesize
4KB

Download
memory/2428-83-0x0000014EEA8D0000-0x0000014EEA8D1000-memory.dmp

Filesize
4KB

Download
memory/2428-85-0x0000014EEA960000-0x0000014EEA961000-memory.dmp

Filesize
4KB

Download
memory/2428-84-0x0000014EEA960000-0x0000014EEA961000-memory.dmp

Filesize
4KB

Download
memory/2428-86-0x0000014EEA970000-0x0000014EEA971000-memory.dmp

Filesize
4KB

Download
memory/2428-87-0x0000014EEA970000-0x0000014EEA971000-memory.dmp

Filesize
4KB

Download