e703795278325a76dcc740a07efa715d3ed4dedbc4aa36e2899d43e98db30f32

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbd1611bba3360607aabc2b133dfa44e_JaffaCakes118.exe
Size

139KB
MD5

dbd1611bba3360607aabc2b133dfa44e
SHA1

649d72375d0b8c872184d94d754a38eb7d187306
SHA256

e703795278325a76dcc740a07efa715d3ed4dedbc4aa36e2899d43e98db30f32
SHA512

44f2f2be1a5fb9e93c7711dfa7887c7971fbc53daa989ccdb4106d9cc9f73067eca7ce4c409271ab9fa59f3456d5d6f24b55f2cc362b73083133bbf5e7674761
SSDEEP

3072:D+PfirrvusshGGBSf9X2aKFtjhIjs0mzsdA0AXT:yPe5ss8Sf9XmFtyTmqA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2540	explore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2540	explore.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2540	2228	dbd1611bba3360607aabc2b133dfa44e_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2540	2228	dbd1611bba3360607aabc2b133dfa44e_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2540	2228	dbd1611bba3360607aabc2b133dfa44e_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2540	2228	dbd1611bba3360607aabc2b133dfa44e_JaffaCakes118.exe	29
PID 2540 wrote to memory of 1200	2540	explore.exe	21
PID 2540 wrote to memory of 1200	2540	explore.exe	21
PID 2540 wrote to memory of 1200	2540	explore.exe	21
PID 2540 wrote to memory of 1200	2540	explore.exe	21
PID 2540 wrote to memory of 1200	2540	explore.exe	21
PID 2540 wrote to memory of 1200	2540	explore.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\dbd1611bba3360607aabc2b133dfa44e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dbd1611bba3360607aabc2b133dfa44e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\explore.exe
    "C:\Users\Admin\AppData\Local\Temp\explore.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explore.exe

Filesize
63KB

MD5
0d11153cfeb5429db568209d157477bd

SHA1
fbf7367fe38dcfd2c4e7cefed5095eb2222b04a3

SHA256
a3b7257713c1a75a93fd2120dc6e92590d8126d915d0a470755517e8b1f45f39

SHA512
12db10b6b7b613298054f2ed7b12c8fcae123104061b542f661ec1c8555e43eeedecd66518b5e48986c6161be2c95be1115b3c1eab942326eaf2def9fd9acfd9

Download Submit
memory/1200-15-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1200-22-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/2228-0-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-2-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-3-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-21-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-14-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2540-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2540-34-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download