b33fb395e5d7d7d164d3026472e66282ae93611738a60c4e3ff199e67a027838

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
Size

1.5MB
MD5

dc2c60c00b903e21ae70f02998d1ba46
SHA1

cd58ed126908718d61fe622588bbff1668fb3c01
SHA256

b33fb395e5d7d7d164d3026472e66282ae93611738a60c4e3ff199e67a027838
SHA512

216c37d4ca8bc01332ed0a7da44c2c8ac38abbe85737bb7225ef77f822bc17b5b07bb3afadd1df219edbca50754c85f48512fa38d385ed96ad186e1c03a66224
SSDEEP

24576:1vYbYKnbmtGMVTgPgRZYYinpJ40OeY8ejj7pmfwvYBiM2wGktrII2gm+OcowR2rA:UvhY8evljoiMbGUjffbsyuaQslzEvcT/

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2420	explorer.exe
4628	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 2420 set thread context of 4628	2420	explorer.exe	98

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4544	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
4544	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
4544	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
4544	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
2420	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4544	4752	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	94
PID 4544 wrote to memory of 2420	4544	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	95
PID 4544 wrote to memory of 2420	4544	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	95
PID 4544 wrote to memory of 2420	4544	dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe	95
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 2420 wrote to memory of 4628	2420	explorer.exe	98
PID 4628 wrote to memory of 4348	4628	explorer.exe	99
PID 4628 wrote to memory of 4348	4628	explorer.exe	99
PID 4628 wrote to memory of 4348	4628	explorer.exe	99

C:\Users\Admin\AppData\Local\Temp\dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc2c60c00b903e21ae70f02998d1ba46_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3643.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3643.bat

Filesize
182B

MD5
8c43a629fb9ff36c32334ba7f0ebaf58

SHA1
07f2447c0bceb44c0dd297608221d928d4148ddd

SHA256
fb859c78c5c3dbc0e7c74b57eb762563d181d237c6adc35f5a8f267296a47df4

SHA512
104142ad323e65c985e9b14fd8c95896494a5dbb09551a448179836b2321e25f45a2fa412b517e7162b60baaff7336cdee9d545632192828c0e6a3d8217f6ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
1.5MB

MD5
dc2c60c00b903e21ae70f02998d1ba46

SHA1
cd58ed126908718d61fe622588bbff1668fb3c01

SHA256
b33fb395e5d7d7d164d3026472e66282ae93611738a60c4e3ff199e67a027838

SHA512
216c37d4ca8bc01332ed0a7da44c2c8ac38abbe85737bb7225ef77f822bc17b5b07bb3afadd1df219edbca50754c85f48512fa38d385ed96ad186e1c03a66224

Download Submit
C:\Users\Admin\AppData\Local\Temp\~15F.tmp

Filesize
16B

MD5
32b66cc996e5b7a2c0b84563a34ce0ec

SHA1
01ab1f76f97ca7dc90fccd3df3adcc2299f42c00

SHA256
ccccd2c9b4feaf20256e9957f27c4e18388504a25301ae0479d81264e7f8919c

SHA512
b6fbdc15702737829451b222011ed66d476838f0d532336ccdc28f307b7f11eee2d41ad98c82776fdb74b9f56aadc15836b67bf6f86f425aea7aca3ccdb8c3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~198.tmp

Filesize
16B

MD5
a02f4b85f388b8626dbfbc5168d78caa

SHA1
e53e6a866e7b3cfcc87a09059bfc86bd70478fd8

SHA256
e85b4c9698e2d16f3c6e949bce0b915fa748a6d222d81b509fedf8d2d2fc16eb

SHA512
4c4ec7fff26e88d0891f5f9a2a3a4c3e3ef010439963ece28ce466a929288fe6635142ea2b052c646bc4d06812cdfca095cfa33cc2813295b208857e1a72d4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1D2.tmp

Filesize
16B

MD5
1672961f7d9f0ae4a642e87b874abec0

SHA1
4f614c50ff5337963812cc80187d99d567a909dc

SHA256
3fc1dddb17b0b95ab3b1494b479143bb30b42aedb248d1969fc0290fa525b50d

SHA512
28d8865e3890a2bf14f7320bfc0efed4f7698dc04e663ae0df479cce305b8e27311d81fc4ada3de90bb15dc896a70d3b62250ccb3c6a6f30c0ce5bd995812ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1EF.tmp

Filesize
16B

MD5
b8443275af09fb379436d3f43c2250d4

SHA1
c2b0004d50c0a1346d3f97edfa4d4196cadd70cb

SHA256
4cef25ae832c6bb7add38ad4d6dcb224b9451a27eaa60d14cdecc5822241854c

SHA512
ecc5c68d20ef816bddf03b616a98fc94e4ed548428ce6443852eb0c7a8f95a5117a9ddb6d700b0e4152f9ed187495a2e8cd8c366edcbe282a5fe37d52aee5778

Download Submit
C:\Users\Admin\AppData\Local\Temp\~220.tmp

Filesize
16B

MD5
1e2281a0ccde48c406b7491fe0f016cb

SHA1
3c94e26901e2b9893bd4d858458c20cb44eea720

SHA256
ef841377808e4f2566b91bffa63bebf0d0d915041ec17c63327deb4a8fa2655d

SHA512
0c78857e324df7d98ec58d91b8b6b2d279f8d960e31c3cd5e40a6ab6488ab78cbd70b63bfb7768fe1ca15c2fc6b2b0bae345a893f50076dee4452af8276049cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~88.tmp

Filesize
16B

MD5
be7b849031f32a6a3d18f5e862a5f34c

SHA1
3b2710b8bf72579dcefc825947d48d3a0d2a181e

SHA256
b87e7d04ccf9828b5c1c74cad1964fc46039cb1aa9e6dcf27bf51e5c0904b71e

SHA512
0c7fb856fa1540644a2c034185d8b5d24aff9039c1be5bed9e3a0075911ff3649e48044951a3389a0d36765e07dd3315167592e1c2ce260c86c960d81fb3e2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~95.tmp

Filesize
16B

MD5
7734c8f4a7b615a0ecd2e6f77df22397

SHA1
d8574026df0aa4dc2469a2e2487ba1ca8a92c1ca

SHA256
2ffd9f83f45d310c1193ea532ee492c303560860fd539a6d3cfdac45edb2baac

SHA512
cbbc79d6703a2f3def63d167f653d6deb3b065ae04d172642516d8a467b7d212a7062478d6523b64edebae860cb58d89907ed7a5d1b02c34ab25b2113b03b013

Download Submit
C:\Users\Admin\AppData\Local\Temp\~E5.tmp

Filesize
16B

MD5
8c2b50fd526085f992f243a5c908951b

SHA1
a84b1623499d3205d11ad75c2f1646238ec18ea0

SHA256
0d19838ed4dff42f2157c21464bce282931503bcd1dff78b1af0c40e4ddc728f

SHA512
85190f854847194ffeb92b9b47f396f243eff013084578a6b364a7d2651486ad6382c2bc8c9f5bed05be29b1dbefac1bfeade7c734ac32f54398ef0e6a050a47

Download Submit
memory/4544-44-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4544-38-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4544-82-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4544-112-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4544-41-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4628-104-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4628-105-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4628-106-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4628-110-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4628-114-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4628-119-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download