8be17a116f29da3d4214d54cf0868898863b9cd74a27502a5a4fd7c936f6f77a

Analysis

max time kernel
147s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe
Size

91KB
MD5

ddbbc1adfb89a7efc303a83a22cde0a5
SHA1

9dec902f5356431ee6ec19b2f6687a3d2f38cd7c
SHA256

8be17a116f29da3d4214d54cf0868898863b9cd74a27502a5a4fd7c936f6f77a
SHA512

6e94e6d232316285064f806e00a94541aef8ff3c178a4f3bd2d7938605af0aa79092f4de4ed3ca00bbfc1e648935e6e533cb65cdf3e002d7f2d647b9803a628a
SSDEEP

1536:HI1nwAvHt2VRhwsWCZtmVncyv+yNA9p/bxWGKaYrBXB5DoSLHxATAiF6Nnlh8:HJAvHtqhXv0Dv+yu9hxWQMXB5USd2vFx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3396	svchosts.exe
3196	svchosts.exe
1244	svchosts.exe
2936	svchosts.exe
1644	svchosts.exe
4896	svchosts.exe
2372	svchosts.exe
5024	svchosts.exe
3520	svchosts.exe
5052	svchosts.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchosts.exe	ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3396	2200	ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe	83
PID 2200 wrote to memory of 3396	2200	ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe	83
PID 2200 wrote to memory of 3396	2200	ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe	83
PID 3396 wrote to memory of 3196	3396	svchosts.exe	95
PID 3396 wrote to memory of 3196	3396	svchosts.exe	95
PID 3396 wrote to memory of 3196	3396	svchosts.exe	95
PID 3196 wrote to memory of 1244	3196	svchosts.exe	97
PID 3196 wrote to memory of 1244	3196	svchosts.exe	97
PID 3196 wrote to memory of 1244	3196	svchosts.exe	97
PID 1244 wrote to memory of 2936	1244	svchosts.exe	99
PID 1244 wrote to memory of 2936	1244	svchosts.exe	99
PID 1244 wrote to memory of 2936	1244	svchosts.exe	99
PID 2936 wrote to memory of 1644	2936	svchosts.exe	100
PID 2936 wrote to memory of 1644	2936	svchosts.exe	100
PID 2936 wrote to memory of 1644	2936	svchosts.exe	100
PID 1644 wrote to memory of 4896	1644	svchosts.exe	101
PID 1644 wrote to memory of 4896	1644	svchosts.exe	101
PID 1644 wrote to memory of 4896	1644	svchosts.exe	101
PID 4896 wrote to memory of 2372	4896	svchosts.exe	102
PID 4896 wrote to memory of 2372	4896	svchosts.exe	102
PID 4896 wrote to memory of 2372	4896	svchosts.exe	102
PID 2372 wrote to memory of 5024	2372	svchosts.exe	103
PID 2372 wrote to memory of 5024	2372	svchosts.exe	103
PID 2372 wrote to memory of 5024	2372	svchosts.exe	103
PID 5024 wrote to memory of 3520	5024	svchosts.exe	104
PID 5024 wrote to memory of 3520	5024	svchosts.exe	104
PID 5024 wrote to memory of 3520	5024	svchosts.exe	104
PID 3520 wrote to memory of 5052	3520	svchosts.exe	105
PID 3520 wrote to memory of 5052	3520	svchosts.exe	105
PID 3520 wrote to memory of 5052	3520	svchosts.exe	105

C:\Users\Admin\AppData\Local\Temp\ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\svchosts.exe
  C:\Windows\system32\svchosts.exe 1188 "C:\Users\Admin\AppData\Local\Temp\ddbbc1adfb89a7efc303a83a22cde0a5_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\SysWOW64\svchosts.exe
    C:\Windows\system32\svchosts.exe 1140 "C:\Windows\SysWOW64\svchosts.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\svchosts.exe
      C:\Windows\system32\svchosts.exe 1120 "C:\Windows\SysWOW64\svchosts.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 1124 "C:\Windows\SysWOW64\svchosts.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 1112 "C:\Windows\SysWOW64\svchosts.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 1132 "C:\Windows\SysWOW64\svchosts.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 1104 "C:\Windows\SysWOW64\svchosts.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 1144 "C:\Windows\SysWOW64\svchosts.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 1148 "C:\Windows\SysWOW64\svchosts.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 1128 "C:\Windows\SysWOW64\svchosts.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchosts.exe

Filesize
91KB

MD5
ddbbc1adfb89a7efc303a83a22cde0a5

SHA1
9dec902f5356431ee6ec19b2f6687a3d2f38cd7c

SHA256
8be17a116f29da3d4214d54cf0868898863b9cd74a27502a5a4fd7c936f6f77a

SHA512
6e94e6d232316285064f806e00a94541aef8ff3c178a4f3bd2d7938605af0aa79092f4de4ed3ca00bbfc1e648935e6e533cb65cdf3e002d7f2d647b9803a628a

Download Submit
memory/1244-12-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/1644-16-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/2200-0-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/2200-7-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/2372-20-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/2936-14-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/3196-10-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/3396-8-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/3520-24-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/4896-18-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/5024-22-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download
memory/5052-26-0x0000000000400000-0x000000000049B780-memory.dmp

Filesize
621KB

Download