a58a4abd7401ddbd4c11a8c47b67779b4ae9f8cdc0cc634ad1798984c90a092e

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe
Size

4.9MB
MD5

d9d1886fc2eace9567c07f8e4ebffd61
SHA1

f6845179cdf112eb13b0c3be751580d9cda65f79
SHA256

a58a4abd7401ddbd4c11a8c47b67779b4ae9f8cdc0cc634ad1798984c90a092e
SHA512

b13b0aa4081bfdae718bf9b0d65734005f46651adbb4f8532ead779fd08b0de22d7c85cc39042cb7bb836416863371553c6889f7a03a27597be7fc7a1d16d6e0
SSDEEP

98304:CiDp3w+dPIWh+zG1BOI+Xp5vJLO/4tNCz5eJTyN3dM8lMWyA7jCq:nDpg8IWh+zSBglxHJ+Xeq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	is-SB4O0.tmp

Loads dropped DLL 4 IoCs

pid	Process
2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe
2332	is-SB4O0.tmp
2332	is-SB4O0.tmp
2332	is-SB4O0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-SB4O0.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	is-SB4O0.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2332	2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2332	2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2332	2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2332	2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2332	2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2332	2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2332	2276	d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\is-GC7V5.tmp\is-SB4O0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GC7V5.tmp\is-SB4O0.tmp" /SL4 $301CE "C:\Users\Admin\AppData\Local\Temp\d9d1886fc2eace9567c07f8e4ebffd61_JaffaCakes118.exe" 4847906 209408
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-GC7V5.tmp\is-SB4O0.tmp

Filesize
795KB

MD5
32cd72cc3dde3152517a59a0654a6845

SHA1
5c7d1b7d6436e1a7365204a7b896d743b29fde5f

SHA256
a57a66f1c690107a80893936782a7297f40a6a02b8518a5dbad3e07f7a46f207

SHA512
593dabcfc551315fe915624c248ccab6826118a472b05d07334c067e6dd90fbffd3db82ce8cc1deaca5a88fb6473e9cc2459d4441f534ec125f44b7650fdfd97

Download Submit
\Users\Admin\AppData\Local\Temp\is-K1U04.tmp\MultiServer.dll

Filesize
190KB

MD5
24331348e4737ea19b67b0833cf2c594

SHA1
a54417ebc0da05543d7fea366c686cf9495974a4

SHA256
e7839609ef26a1b492328ed195b7f53f41a32720cd7e6092758e5848f7d17497

SHA512
1f3b7ab5b0390f4b229a3bc8f952997fc237490d06d374e79ba1f169e6920b7bc4dac7270ab7564a1889ab91c04ac39f3d579a13aa752d0e87736bbc3a983098

Download Submit
\Users\Admin\AppData\Local\Temp\is-K1U04.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2276-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2276-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2332-17-0x00000000030D0000-0x0000000003104000-memory.dmp

Filesize
208KB

Download
memory/2332-21-0x00000000030D0000-0x0000000003104000-memory.dmp

Filesize
208KB

Download
memory/2332-20-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download