4bc6b440a46a9e847d83864386b180ecd67be2f589d5840d232cce5ef3c95e6e

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 22:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe
Size

21KB
MD5

ea0c85b933a664e0e464dd9d31e2e11a
SHA1

91c1496867af8fc70c7843b03905a417e5f16063
SHA256

4bc6b440a46a9e847d83864386b180ecd67be2f589d5840d232cce5ef3c95e6e
SHA512

e5467de72527d38d799b9847f4194d53b8d992dc6cacb59efcf123116e9925482125b493a59271bcba28187c58699def4ac4f5616d781f4143b1d2e14a625b8d
SSDEEP

384:mljW/Wqjr1kGOu94KxE4h8naICWf3FE/upMka3hR/9ReYDNdOgxAQgUH5o596I4:Qc2vx42adWvFEiWb9rDNfAQ/+4

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\E90C0E8C\ImagePath = "C:\\Windows\\system32\\EF82DD03.EXE -p"	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	EF82DD03.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\EF82DD03.EXE	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EF82DD03.EXE	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EF82DD03.EXE	EF82DD03.EXE
File created	C:\Windows\SysWOW64\delme.bat	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\4816CB6.DLL	EF82DD03.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EF82DD03.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
876	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe
332	EF82DD03.EXE
332	EF82DD03.EXE
332	EF82DD03.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2640	876	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe	32
PID 876 wrote to memory of 2640	876	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe	32
PID 876 wrote to memory of 2640	876	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe	32
PID 876 wrote to memory of 2640	876	ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea0c85b933a664e0e464dd9d31e2e11a_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\delme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2640

C:\Windows\SysWOW64\EF82DD03.EXE
C:\Windows\SysWOW64\EF82DD03.EXE -p
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\EF82DD03.EXE

Filesize
21KB

MD5
ea0c85b933a664e0e464dd9d31e2e11a

SHA1
91c1496867af8fc70c7843b03905a417e5f16063

SHA256
4bc6b440a46a9e847d83864386b180ecd67be2f589d5840d232cce5ef3c95e6e

SHA512
e5467de72527d38d799b9847f4194d53b8d992dc6cacb59efcf123116e9925482125b493a59271bcba28187c58699def4ac4f5616d781f4143b1d2e14a625b8d

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
ba9a742b47a6c0ab5e92f36be8a65436

SHA1
4f5e022584bba9c9f6244838f3d47bca113b2296

SHA256
2bd31a794b2def2576d027b4fe0e39e780d7def97cfa72cf7ddbf596c8c82cbb

SHA512
279694bcd6c8cbe57bde8c116dbbadf2088f643bd0852beab908fdc6babf433d23f766d51cd94cb5219f66b57a1eb5fb2d116d4810b4ecaf70aad2386659dd45

Download Submit
memory/332-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/332-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/876-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/876-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/876-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download