49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5

Analysis

max time kernel
142s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Size

184KB
MD5

dd8b1b0b9002f34b6de1ce5795af7044
SHA1

21a258520bc8a5752bd301fdc30246e2d7b09cf1
SHA256

49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5
SHA512

291cdbd385222f9c5569b00446f2288db97a069c56de0f90bbc6e045d8630132a246dc1ce283350ee101a1e9b01a8e6edf4356b637768a0735d433d3b8bf4d28
SSDEEP

3072:6Xj0wZchwJVqMuS4OX0ggDDIotbJKbkrQa:azZ4wzZuS4OXRmDnbJka

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2732 set thread context of 2280	2732	svchost.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2376	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
2376	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
2732	svchost.exe
2280	svchost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2376	2380	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	29
PID 2376 wrote to memory of 3004	2376	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	30
PID 2376 wrote to memory of 3004	2376	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	30
PID 2376 wrote to memory of 3004	2376	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	30
PID 2376 wrote to memory of 3004	2376	dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2732	3004	cmd.exe	32
PID 3004 wrote to memory of 2732	3004	cmd.exe	32
PID 3004 wrote to memory of 2732	3004	cmd.exe	32
PID 3004 wrote to memory of 2732	3004	cmd.exe	32
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2732 wrote to memory of 2280	2732	svchost.exe	33
PID 2280 wrote to memory of 2444	2280	svchost.exe	34
PID 2280 wrote to memory of 2444	2280	svchost.exe	34
PID 2280 wrote to memory of 2444	2280	svchost.exe	34
PID 2280 wrote to memory of 2444	2280	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c run.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      svchost.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reg.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\reg.vbs

Filesize
292B

MD5
344f0e480669a6cfd147877470601f46

SHA1
64a32bcf575b29267f4d2f1f834ce9cb12640dec

SHA256
258def3e3c6d2f23d29a96209218ba58f40dbe644938452dcfc48fd113a7bea6

SHA512
cd06b8630ac28b936a041566a85dde8f1c799f3dae952540f8bd07845d81ec3dae2f58b12866c9e5c6fdc5357d2cf181e87e61da641f6b2bea46f6ffaa7ef700

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
11B

MD5
d1c56374fff0243832b8696d133b7861

SHA1
f4d236fdec2fd03914189c3b26e5cb0dfea9d761

SHA256
8e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6

SHA512
e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452

Download Submit
memory/2280-23-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2280-22-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2280-28-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2376-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2376-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-6-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2376-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2376-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download