976a90447e9b49ccc7eaa7e52dd41654cb54fd1b1c17128e1e7c943a336a3b04

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe
Size

728KB
MD5

e0bedf61929743f75b1ccaec1b192dd3
SHA1

b2807e365a812b7da39ff01a9b9ce82cca30550b
SHA256

976a90447e9b49ccc7eaa7e52dd41654cb54fd1b1c17128e1e7c943a336a3b04
SHA512

617da56db001ab03186781bb79874de9b14bf3bd679f84ed658a6797e9645afc163017b042aa02ca511ef54e8b182b1bee3bd0d61ca61178272deb2141aa5b27
SSDEEP

12288:2GcoX53l4xf/LY80pUX4DwJ2+B05OEkz4+WqEe4/sVO:IaKfTgk4E4+O4lz4Fe

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\data.exe	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	data.exe

Loads dropped DLL 4 IoCs

pid	Process
2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe
2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe
2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe
2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2728	2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe	30
PID 2924 wrote to memory of 2728	2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe	30
PID 2924 wrote to memory of 2728	2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe	30
PID 2924 wrote to memory of 2728	2924	e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0bedf61929743f75b1ccaec1b192dd3_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\data.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\data.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\data.exe

Filesize
557KB

MD5
33d275ea4fb74ed4004164bb69b73869

SHA1
cd5d4ccceb3ca406e9bc8022ef8df41dd56e1981

SHA256
a82bb5b963a543f7bcd7586af89fe0b0bbf4c6e1d9da8cf99879928e3b548c5c

SHA512
5198f1e4fb3484c68a443c6871aa2478452ea39fe148837f72b0cd566d1d00137447325ad9daa0f365f92cc04f297d4c4ebef8930483f68f4ed3ab79bd3e0284

Download Submit
memory/2728-28-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-25-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-29-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-23-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-30-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-26-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-27-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-31-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-24-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2728-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2728-37-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-32-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-33-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-34-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-35-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2728-36-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2924-20-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download