70f6bb0eeb4d41ec476f347e8e04edab4324474090d47d9d45aae4e0a5229ce8

Analysis

max time kernel
118s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe
Size

535KB
MD5

dacc42606be5f92b63f95f9188d3697f
SHA1

ff3f0d7a66a230e074ff52fdd4dd99180b0d3097
SHA256

70f6bb0eeb4d41ec476f347e8e04edab4324474090d47d9d45aae4e0a5229ce8
SHA512

93ad578c6e73b3fcc8ac93956e82e95eb48970b3444b349e31fb9c5aa11ccb452b358aafc81bbf84e7a4ea540fbef1b9553c02f95079aaa3432a944a6979d07b
SSDEEP

12288:kJugnPrXUVsf1Rrx9BGahHdytAwypp2nlTvcV:k8cPrIsf15hGydBwyppolT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5076	tip.gif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 3272	5076	tip.gif	88

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\web\printers\images\tip.gif	dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe
File opened for modification	C:\Windows\web\printers\images\tip.gif	dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tip.gif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3272	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4356	4608	dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe	87
PID 4608 wrote to memory of 4356	4608	dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe	87
PID 4608 wrote to memory of 4356	4608	dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe	87
PID 5076 wrote to memory of 3272	5076	tip.gif	88
PID 5076 wrote to memory of 3272	5076	tip.gif	88
PID 5076 wrote to memory of 3272	5076	tip.gif	88
PID 5076 wrote to memory of 3272	5076	tip.gif	88
PID 5076 wrote to memory of 3272	5076	tip.gif	88

C:\Users\Admin\AppData\Local\Temp\dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dacc42606be5f92b63f95f9188d3697f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\RFPAFW.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356

C:\Windows\web\printers\images\tip.gif
C:\Windows\web\printers\images\tip.gif
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 55548
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RFPAFW.bat

Filesize
218B

MD5
08fc31291160be5764d55ddf5159b0e1

SHA1
fc69e180c06cc76e7aa16445b99a238bd932fcc8

SHA256
5e8b0245c0170076ff96e3e491a92859a2ecb5bd6b7728d55de7bc4094e0eff8

SHA512
bc780b05fee135cce23c4c3a2887cd01005000b052165e3a7cf69f98f82b3eb30b27d2ed028cfcf65ea57e2d78ba53b437f0792ac0bf211b8c7becac759f1ead

Download Submit
C:\Windows\web\printers\images\tip.gif

Filesize
535KB

MD5
dacc42606be5f92b63f95f9188d3697f

SHA1
ff3f0d7a66a230e074ff52fdd4dd99180b0d3097

SHA256
70f6bb0eeb4d41ec476f347e8e04edab4324474090d47d9d45aae4e0a5229ce8

SHA512
93ad578c6e73b3fcc8ac93956e82e95eb48970b3444b349e31fb9c5aa11ccb452b358aafc81bbf84e7a4ea540fbef1b9553c02f95079aaa3432a944a6979d07b

Download Submit
memory/3272-8-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/4608-0-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4608-9-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5076-5-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/5076-11-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download