8fd4054f6f4a904607ecf2750a222c6e3ca781122dcde4fa6838c27129b9a612

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
Size

170KB
MD5

db0a0d1863eafd07f3aaed6ced1ff416
SHA1

3672251cb46fd4dae9b8a2aea2016a35eb3393f0
SHA256

8fd4054f6f4a904607ecf2750a222c6e3ca781122dcde4fa6838c27129b9a612
SHA512

813c242710ca323c9544af28282edceb8f8224a80850caccd4f81f711e6602484d5f9fa516c57425530cc890eb9283a438b8a8bac79603fee7a5297078234eb6
SSDEEP

3072:jmVW8iTX/3RfldjjXq1+0cxxsWEL02fXcIp08MoeA5SBPi6Ag2dyDE4p:aM7jJlRexYTHYZM1P92IDEg

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\macromd\invisible IP.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\yahoo hacker.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\momma's juggs that make you scream for mercy.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\sexy brunette showing her bod outside the house.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\old fucker punishing teeny.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Choke on cum (sodomy, rape).mpg.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\horny teen waking up with her pink pussy spread.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\MSN Password Hacker and Stealer.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\password stealer.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\16 year old on beach.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Winzip.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\nude.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\win2k serial.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\fun slut who let dude eat her off in jacuzzi.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\yummy lesbos licking.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winxcfg.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Counter Strike CD Keygen.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\babes with great lips that knows how suck cock.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\sweet ass blonde teen with dripping wet pussy.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\firm ass honie with thick lips made for sucking rods.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\preteen snuff sex rape with a stick hardcore.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\two studs fucking the hell out of a slut from behind.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\two teen lesbians with dildo having fun.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\redhead getting a group facial at a wild party.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Teen Violent Forced Gangbang.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\honies letting dudes flush mouths full of hot cum.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\babes with an assortment of delicious big juggs.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\warcraft 3 crack.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\girls gone wild.mpg.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Yahoo mail cracker.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Napster Clone.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\busty blondie with cool ass.mpg.pif	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\chubby girl fucked from all angles xxx.exe	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db0a0d1863eafd07f3aaed6ced1ff416_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\password stealer.exe

Filesize
81KB

MD5
80b7aaa62fb800c59bb84b0844d77b98

SHA1
69686274e5a7a4820bdcd8405958040fa8243ebd

SHA256
bc773efd7327d911e9f520d91596b6d69e1c616758ab1c8557645243fb171307

SHA512
f496aafb7f93b2220ce75eb026582912258d7704ef94da03b7c8c4b21d3b1f573ba5d297370df700cdd8b482096d529992f3517adb8f59e2832bb2e4c8a67f37

Download Submit
memory/2704-33-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads