b81efd7719693f02b9cb8163b174d94ccc393603fc51c383d849ef09e1952277

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe
Size

762KB
MD5

df5106fe39134f79d31982cadda7505c
SHA1

a55af640696f82afab08ed1db31d6a3fcf2cd72c
SHA256

b81efd7719693f02b9cb8163b174d94ccc393603fc51c383d849ef09e1952277
SHA512

5e81699941659484154b98fa4c1d4de42cb24d3be8a765737546bb98f54aa13b5d50ce6739de4dc07bd7320d0ad956037ac7b97c1601bac2da2366e8d256ed17
SSDEEP

12288:vtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnp:vtDltItNW7pjDlpt5XY/2TkXKza/291

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
884	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
884	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe
2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe
2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2220	340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	30
PID 340 wrote to memory of 2220	340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	30
PID 340 wrote to memory of 2220	340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	30
PID 340 wrote to memory of 2220	340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	30
PID 340 wrote to memory of 2220	340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	30
PID 340 wrote to memory of 2220	340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	30
PID 340 wrote to memory of 2220	340	df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1336	2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	33
PID 2220 wrote to memory of 1336	2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	33
PID 2220 wrote to memory of 1336	2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	33
PID 2220 wrote to memory of 1336	2220	internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe	33
PID 1336 wrote to memory of 884	1336	cmd.exe	35
PID 1336 wrote to memory of 884	1336	cmd.exe	35
PID 1336 wrote to memory of 884	1336	cmd.exe	35
PID 1336 wrote to memory of 884	1336	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\AppData\Local\Temp\nsjB869.tmp\internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsjB869.tmp\internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsjB869.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/df5106fe39134f79d31982cadda7505c_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsjB869.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\2651.bat" "C:\Users\Admin\AppData\Local\Temp\5E23CA42D3D94A798476AE95AFAF81DF\""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\$IB9XI1U

Filesize
544B

MD5
2761fabf7ff37b7623408f0d6bb042f0

SHA1
b99c75527a530d0f99a35f5d073c72abde5c31b4

SHA256
adad7caf933c7f3747d16078db669ea9144461128fd1b3825f6fb5ce7316dfa8

SHA512
f56b7b21c26e92002290b49ebf7874de72dc60348f7ad50cc43267b7f4a4aa987afe1c10dbe7a1ba5842922c45c912d3a94e6568df9523276fb919997276e390

Download Submit
C:\Users\Admin\AppData\Local\Temp\2651.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E23CA42D3D94A798476AE95AFAF81DF\5E23CA42D3D94A798476AE95AFAF81DF_LogFile.txt

Filesize
2KB

MD5
6032bd55ae613ca548dd9c6edce8c067

SHA1
3d417faa2940a4c31a09762830bd42171610fb5a

SHA256
7668eef0b9a162eac619179452528fcb731488f0b9ccea9fa52628aa619b1c2a

SHA512
ccad3efdcd224a9841b1c86519cfe2fef3ab3dd21ac0c65d0ca20ba85de5e6ec2948e3d6c1b65e04be8d49e60bb4ca46c0afe60668a35e46170f27133c0c222f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E23CA42D3D94A798476AE95AFAF81DF\5E23CA42D3D94A798476AE95AFAF81DF_LogFile.txt

Filesize
3KB

MD5
6902c693777f57c9b85e7c934719fcef

SHA1
0b67b819e00333ba0fbb08e2f8c3fb828cc3375b

SHA256
e8b2789cf5b75133db7c13fe43c506be5b4a0b02d53827717f5246f26d5c6e72

SHA512
9207a2ad5678b30e235e8c7f273c15f650ae5ded88734d98eb2f779f5f4b7cca4977d330c3f4e7d04f03a4794f789d56628c4dce1d224342c9b2ec3b78e3ff4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E23CA42D3D94A798476AE95AFAF81DF\5E23CA42D3D94A798476AE95AFAF81DF_LogFile.txt

Filesize
5KB

MD5
a8a622cf20218183f801b2c9ea8bd0b7

SHA1
b1d0bc84a8695eff72b25081ef62348dd8208ed9

SHA256
91d2ecc176c2004201cf252e28336220ac9bad18fe3bfdb2cb54f8b508d77efa

SHA512
a3a704c3acf45669220c6265878f0f831ee6d640662cc0dfed266ada5c5ee1ff3f252d8e9c24f377fd76b9a13d2178c55f929a4fe52e88d06d4e668dec97a6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E23CA42D3D94A798476AE95AFAF81DF\5E23CA~1.TXT

Filesize
31KB

MD5
f44e4bb94dd00aee8097d10a5d04a87c

SHA1
08062f3c86e1c76c040c34700bbc2a49d85f2d3c

SHA256
97ea66ec83ff2fd8dec1649b5ae3b116ae04303668c9fe772f990138636aa148

SHA512
d1df3c519888e98b0d5fd79551dd846692ea8ab8c57ef12bedf5b7f8b013c5f4e19b110fe55cb83e1beea2f78f5983ee6e7831fe75843836156cf44bf0caba97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB869.tmp\internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB869.tmp\internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB869.tmp\internaldf5106fe39134f79d31982cadda7505c_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/340-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-76-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download