0e8aebca7070d9ba9c3d305682cb0dd496d23d06ff2e8fba4cb1c9400bb7d567

Analysis

max time kernel
91s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
Size

152KB
MD5

da48b0ba28e4af65809f74196268f76e
SHA1

b13b1714c3658a29d504f2cef68db56a229db83e
SHA256

0e8aebca7070d9ba9c3d305682cb0dd496d23d06ff2e8fba4cb1c9400bb7d567
SHA512

76ce040443dbb469924d8bb823eecdfcecd27de705b55dee78caa170f56e0fd8a84d5d9ba29c7056d62bfacf6da5684c3200016684c766f6f478756e1f8242cd
SSDEEP

3072:9hQGtLpoVwL6GyHSqREdFgxm2FCM5i0ikSsi9GbYuY:ZJE66GBqREfL8bb9Ssik8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	inetsrv.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inetsrv.exe	da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv.dll	inetsrv.exe
File created	C:\Windows\SysWOW64\inetsrv.dll	da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inetsrv.exe	da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inetsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	inetsrv.exe
2200	inetsrv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 676	2200	inetsrv.exe	7
PID 4200 wrote to memory of 5088	4200	da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe	86
PID 4200 wrote to memory of 5088	4200	da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe	86
PID 4200 wrote to memory of 5088	4200	da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe	86

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088

C:\Windows\SysWOW64\inetsrv.exe
C:\Windows\SysWOW64\inetsrv.exe -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.bat

Filesize
172B

MD5
c7a3506394b96944fb8df3164604b4ab

SHA1
6339b73434e1c22847f52a8d1ad8e8749739df48

SHA256
4cdd57e45db91f2b1e79394ce89913398e5e8ab666a9529e809bdfe0dffc60d6

SHA512
b543939a2c9f61720b30b372372728dd0cf4a6de528742304b550b38fbca8ae6952e845e44ca4ec85143ee5f6573ac26bac9298d3c5ba24ab72a8d596f7e7422

Download Submit
C:\Windows\SysWOW64\inetsrv.dll

Filesize
103KB

MD5
157af8909d5d4d84fb1ed614552fd13d

SHA1
7ee754bfd867511995a81b602ce578b8206030e1

SHA256
efad3d7a61b6e017e08bc5afb99e7574bce554f5ce8c16c951f10ec5978b8d09

SHA512
db266355bdaf65ce61f57e9c04a10deae9ade6aa3d6a459cbf5aef235d0424e1bf4a5eecc0151a30b9ade44c1c4af223553d4ee592ee7abf6a928f440f36fd02

Download Submit
C:\Windows\SysWOW64\inetsrv.exe

Filesize
152KB

MD5
da48b0ba28e4af65809f74196268f76e

SHA1
b13b1714c3658a29d504f2cef68db56a229db83e

SHA256
0e8aebca7070d9ba9c3d305682cb0dd496d23d06ff2e8fba4cb1c9400bb7d567

SHA512
76ce040443dbb469924d8bb823eecdfcecd27de705b55dee78caa170f56e0fd8a84d5d9ba29c7056d62bfacf6da5684c3200016684c766f6f478756e1f8242cd

Download Submit