ae42a85698792404431f7d7a5af9efa5957ba6e39a07465955bba9660cc9287e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe
Size

593KB
MD5

e1fc84e112eb855f22dc1db9ff7e9a1f
SHA1

492db5ba3ecfcaa2f93d1735490ff4578b88775a
SHA256

ae42a85698792404431f7d7a5af9efa5957ba6e39a07465955bba9660cc9287e
SHA512

880e2fdaf1ad52886d8486fb0bfdb380d135b4fd4c548c6cfb670e5f01eaaf2c929cae88f8e2c54f835ea39114c3fc6aacfcba74c49bf2ff67b1b6f922bafcf3
SSDEEP

12288:qjDoHMfc58H6K/YziF9AHataFnlYJ5moF3Z4mxxNDqVTVOCF:qHTHt/YziFKCaFn0/QmXMVTzF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	svchos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 2740	2572	svchos.exe	32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchos.exe	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe
File opened for modification	C:\Windows\svchos.exe	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe
Token: SeDebugPrivilege	2572	svchos.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2612	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe	33
PID 2144 wrote to memory of 2612	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe	33
PID 2144 wrote to memory of 2612	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe	33
PID 2144 wrote to memory of 2612	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe	33
PID 2144 wrote to memory of 2612	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe	33
PID 2144 wrote to memory of 2612	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe	33
PID 2144 wrote to memory of 2612	2144	e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe	33
PID 2572 wrote to memory of 2740	2572	svchos.exe	32
PID 2572 wrote to memory of 2740	2572	svchos.exe	32
PID 2572 wrote to memory of 2740	2572	svchos.exe	32
PID 2572 wrote to memory of 2740	2572	svchos.exe	32
PID 2572 wrote to memory of 2740	2572	svchos.exe	32
PID 2572 wrote to memory of 2740	2572	svchos.exe	32

C:\Users\Admin\AppData\Local\Temp\e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1fc84e112eb855f22dc1db9ff7e9a1f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2612

C:\Windows\svchos.exe
C:\Windows\svchos.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\windows\SysWOW64\svchost.exe
  C:\windows\system32\svchost.exe
  2⤵
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchos.exe

Filesize
593KB

MD5
e1fc84e112eb855f22dc1db9ff7e9a1f

SHA1
492db5ba3ecfcaa2f93d1735490ff4578b88775a

SHA256
ae42a85698792404431f7d7a5af9efa5957ba6e39a07465955bba9660cc9287e

SHA512
880e2fdaf1ad52886d8486fb0bfdb380d135b4fd4c548c6cfb670e5f01eaaf2c929cae88f8e2c54f835ea39114c3fc6aacfcba74c49bf2ff67b1b6f922bafcf3

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
74ddf94a55219f01e9bfdff6083c42c8

SHA1
a1288901e29ea7b06b276384f3fe6a7815bf1924

SHA256
05e8e9f1c23f861378e96fef39ba5ac9bd369b05550132d9aca4401b05508294

SHA512
fa054b54e14968091a5f6b072dcc7f014c4ea7af0543b1eb1c31386e91660cbeef6b82f5f953a96a93920bcdbdbe9bd38ee12caee87f089ed90f039040e7ede0

Download Submit
memory/2144-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-1-0x0000000000640000-0x0000000000694000-memory.dmp

Filesize
336KB

Download
memory/2144-2-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2144-3-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2144-4-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2144-5-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2144-6-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2144-7-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2144-8-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2144-9-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2144-10-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2144-11-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2144-12-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2144-13-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2144-14-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2144-15-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2144-16-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2144-17-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-18-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-19-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-20-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-21-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-22-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-23-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-24-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-25-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-26-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-27-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-28-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-29-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-30-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-31-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-32-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-33-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-34-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-35-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-36-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-37-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-38-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-39-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-40-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-41-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-42-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-43-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2144-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2572-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2572-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2740-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download