4243d8cec767ff6c23608d9f2d34aa24773ff4af570ba50b023f279b2cef0000

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe
Size

64KB
MD5

ddcf665b7f46673958cccd0ca46b92e0
SHA1

1a734315113949d1bb516ea4b427f759c3175098
SHA256

4243d8cec767ff6c23608d9f2d34aa24773ff4af570ba50b023f279b2cef0000
SHA512

6191fd1755fbfbc870dc69f18b167fcfe0429db1dcc5f898e02e9be192a3c2d743dee1a3cbfb84e72b1cd06bbf749fc6c24607a3e129e7b20d426c5a0d32b033
SSDEEP

1536:L3Ebkz9Ui313E7y9Sj8EGNPUKAIpe+cK:L3Jzio1399FEcszYe+cK

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	volumeid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VolumeId = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe"	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\volumeid.exe	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2212	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2776	2212	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2776	2212	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2776	2212	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2776	2212	ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddcf665b7f46673958cccd0ca46b92e0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\volumeid.exe
  C:\Windows\volumeid.exe C: 5417-95C6
  2⤵
  - Executes dropped EXE
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\volumeid.exe

Filesize
36KB

MD5
55505d72af82dfb2903c5d3a73d99f4a

SHA1
c8962f6e70c5b0ccf073d0fed632053aa5d6b074

SHA256
0b099423a44205e3a46e7801902b8bd0f08892abce9e23e202b0c3f0a8ac6adc

SHA512
7f2ce38181ae39753da7a5135b9da76eecb982c0e7085e5f7a4d645c0b8071270c01f9eaf7326ef90bbf9066e699c955c1efc2f71664d5e159a856e52b207a78

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads