a3e032cb1143596ea8e94d8609e2d9c649a12d03b119c361ecfd1a80d1175576

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
Size

97KB
MD5

ea96817e608eae8d37e95f2d7ae2ce25
SHA1

e23e2e70157e65e331691a44a85121238da80973
SHA256

a3e032cb1143596ea8e94d8609e2d9c649a12d03b119c361ecfd1a80d1175576
SHA512

151a599cb5bea67ef6dd9f401a92ac40f33185ba0446672352074a92b38e578fe6dc4831873aca29fe44d7f117b6bb802e280e0279de1706b6cfe264b11ebc95
SSDEEP

1536:AlMql4OQM2/kdepuxneOqy+GnnMFPhWq/B8nGry:8Zm/fuxn8GnqhWqZ8nGry

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	svhost32.exe

Loads dropped DLL 3 IoCs

pid	Process
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
2772	svhost32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ms = "C:\\Program Files\\Microsoft\\svhost32.exe"	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msdll.dll	svhost32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\svhost32.exe	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft\svhost32.exe	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2772	svhost32.exe
2772	svhost32.exe
2772	svhost32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2772	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2772	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2772	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	31
PID 1488 wrote to memory of 2772	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	31
PID 1488 wrote to memory of 1712	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	32
PID 1488 wrote to memory of 1712	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	32
PID 1488 wrote to memory of 1712	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	32
PID 1488 wrote to memory of 1712	1488	ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea96817e608eae8d37e95f2d7ae2ce25_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files\Microsoft\svhost32.exe
  "C:\Program Files\Microsoft\svhost32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$cD7F7.tmp.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$cD7F7.tmp.bat

Filesize
261B

MD5
3ce3ed39f5ffe1fc4dd3b5e2e3aa3fff

SHA1
9fa7449c76ef66a4b0de355a0cbc7e6c21327ba1

SHA256
e5702c5ebf4d2a8614b1f4d3020e07a1f73e58cf38f8c9369cd2e68dd5ab6c04

SHA512
7ee9ff4db43b90f297586b16067f8a63c42591f358b2897f9c1f1c40d0f30ebf79cf5d35b5475acc15087bee1e9c542f0b9bca3773b81f01aa40429e7d7fb2a2

Download Submit
\Program Files\Microsoft\svhost32.exe

Filesize
97KB

MD5
ea96817e608eae8d37e95f2d7ae2ce25

SHA1
e23e2e70157e65e331691a44a85121238da80973

SHA256
a3e032cb1143596ea8e94d8609e2d9c649a12d03b119c361ecfd1a80d1175576

SHA512
151a599cb5bea67ef6dd9f401a92ac40f33185ba0446672352074a92b38e578fe6dc4831873aca29fe44d7f117b6bb802e280e0279de1706b6cfe264b11ebc95

Download Submit
\Windows\SysWOW64\msdll.dll

Filesize
50KB

MD5
bb171009ee8b1c79e5657154701ca2a8

SHA1
2863b8fa4cb857cadefdd2dbe335b0fd8ecff946

SHA256
07ed09ac6353486b54aeb85dcdf53a55f014f1968fdaf3d58bd9b6033809ab66

SHA512
6a0a4c3fb2583f3697123798c52f0e2cff936753bbffd17318180fb0c542dcc749ece43a85d4b9af953c961e8d37ad3da1921c53ee8881a9c1882a2c05b79ab1

Download Submit
memory/1488-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-18-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download
memory/2772-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-22-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download