92b9a059a05b3e6d65fdc260f95a8aba264c44846663d26fbe65d97a4773d90a

Analysis

max time kernel
80s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
Size

230KB
MD5

ea99a8e5507dc0b411284a428e0a4211
SHA1

0dcce5a6a86ef8a7b32804902ca7f7d44de12da6
SHA256

92b9a059a05b3e6d65fdc260f95a8aba264c44846663d26fbe65d97a4773d90a
SHA512

6dc8d7361fc3284fda9d9664ffbdfeae8fe1db2840e16d8352a202f9ac4320d4fcc94b59994e979a3aabd8199de3bafb36b39062d8ec50cf4177823011af9be4
SSDEEP

6144:Jn+TdrqSJnIjyfENiv2bpbyW38gOhOQKdl:Jnad3nIucov2brMgOhdC

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2840	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2840	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2840	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2840	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	30
PID 2140 wrote to memory of 3028	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	32
PID 2140 wrote to memory of 3028	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	32
PID 2140 wrote to memory of 3028	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	32
PID 2140 wrote to memory of 3028	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	32
PID 2140 wrote to memory of 1152	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1152	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1152	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1152	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1492	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	34
PID 2140 wrote to memory of 1492	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	34
PID 2140 wrote to memory of 1492	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	34
PID 2140 wrote to memory of 1492	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	34
PID 2140 wrote to memory of 2184	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2184	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2184	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2184	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2124	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	36
PID 2140 wrote to memory of 2124	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	36
PID 2140 wrote to memory of 2124	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	36
PID 2140 wrote to memory of 2124	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	36
PID 2140 wrote to memory of 1372	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	37
PID 2140 wrote to memory of 1372	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	37
PID 2140 wrote to memory of 1372	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	37
PID 2140 wrote to memory of 1372	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	37
PID 2140 wrote to memory of 676	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	38
PID 2140 wrote to memory of 676	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	38
PID 2140 wrote to memory of 676	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	38
PID 2140 wrote to memory of 676	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	38
PID 2140 wrote to memory of 1528	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	39
PID 2140 wrote to memory of 1528	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	39
PID 2140 wrote to memory of 1528	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	39
PID 2140 wrote to memory of 1528	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	39
PID 2140 wrote to memory of 1752	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	41
PID 2140 wrote to memory of 1752	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	41
PID 2140 wrote to memory of 1752	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	41
PID 2140 wrote to memory of 1752	2140	ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe	41

C:\Users\Admin\AppData\Local\Temp\ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea99a8e5507dc0b411284a428e0a4211_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinBADD.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF2ED.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinD504.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB0AF.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF2ED.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2184
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinED32.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin8E83.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinB0AF.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin6CD6.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin927B.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\92DD238B\cfg\1.ini

Filesize
10KB

MD5
5ecd0a1c0993a62ff81ec1b2e25906f2

SHA1
2f16403b0e33ab0e95b118e1055e62021273e62d

SHA256
512bce7a3c222e34851ec2065ec8e3f1334ed70538a27457dc6504c6994e3df9

SHA512
1b2eb0d86fb8530d7e7aac25c799f09a9205dbd1a2936500ef99771bd69c9f94414bc83bfbf0d74ab0e1d987ad859c2515180cfc034d9ccc85d4a1878aa995c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\92DD238B\Setup.exe

Filesize
15KB

MD5
620c469559fab74b64c7a18e3960c13a

SHA1
c2e1aab11c99808fc03f2e875aa72b23000d0cfa

SHA256
ed13de9a4a1b65a3b5c7263d71907c99d05b01ca065f1879bd6f0555e70e58a5

SHA512
fde0220ea0cc6e4d78b27bdee100358040191514d66f33122a3fec6de996be467560dc1a594e8e47e4a7e4531beb5325f829a5779347ac4534ecb0ec342f4394

Download Submit
C:\Users\Admin\AppData\Local\Temp\92DD238B\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin6CD6.bat

Filesize
50B

MD5
7d8ca4d072341887c92c083e031e5ff8

SHA1
a4c8bed82d28dd4c80d52e507f1eb7eead9f4d1b

SHA256
ef595dfc011a4e688b37e8f68f91e8cf0437ca2b79150246966d825de0fcd57b

SHA512
343c36468f8b5f184af2dfcbb5ec66b7292ea3bc1f3fc7dd8a1456bc543383de4f5f61002f289a65b865689cd0daf4fd0ad754b9f273e84f4d92279d2bcf5b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin8E83.vbs

Filesize
819B

MD5
d3f7c2ca80bdd4325a2bfd7d6cba32a2

SHA1
dd4929bf40a42afc7187ac9f4e1d1e17c84b9481

SHA256
8ec97946c42fbd1e9f071f6badf914c23e034faf01e1e506ef4e828fff55b133

SHA512
e78a7d20f815719eff37b4f3800bf0dffc2fdc2d823a142c2533f45a637257e0cda7b655617919f5d4a5a610449bb0eb372b5341546f627d793a5a419ceec113

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin927B.bat

Filesize
46B

MD5
54c1be8c582eed6e28e0e070c2229203

SHA1
1f6b75e8d6558c8cad92da5cc19482920286af71

SHA256
378db2b68ed507b6c7dd538bcba56cb366a8108b123b63f5e281cf6279d962fe

SHA512
df4ed02297940e7b7ecbc5facf208fee7fa86baaa2da4ddffe33341f48d97d48f92dca6f6b27a1c37db63b0e6fcee80e13db35c5ef4ca802a59f7b6efb3c7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinB0AF.vbs

Filesize
2KB

MD5
2d3ed230b8e461fc76967a3b51417874

SHA1
c153c977e36ec2265d5f16f5e83b151edf7823c9

SHA256
ea53b8d4b94638e3ad3681cfc7403421f64a92f23b0cce0453408b102f5687ea

SHA512
c3b94c02b4d9e5990e3fada7bf3eab3d43caee09a942e4604c12b772c8d1546c6ba17c458071a97cb1bc6a61f95063a23334fd5727d1fe23f6977fec0549f168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinBADD.bat

Filesize
44B

MD5
33101e17b6577810e257258dfbe54955

SHA1
ad8faff0ea9b4da1c8c45887f7a5c76823bde779

SHA256
3074c1afde2889088af82c278f232dc4c7d42bec84aedcd655229eb802aabb9c

SHA512
00f28678d1f8e2f775e672e58f889c10aa495e08ec1abfe4892da7010a54ed971f8feb1c2960d030ac8ee9e426345dc4520e1bb4795ab5859f0d734651d504b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinD504.vbs

Filesize
751B

MD5
9a63214af8822a4ccb0f801f5cbb71fa

SHA1
638a7c49e694be64c883c24150ecf4b5254ce233

SHA256
bb9d056b18490d824a14f2d8a3640c85a3ce10377799486bf9f0db6a7f5b18f4

SHA512
e3d25c10dfe4d4f6d79641d34a42d03fbdc2fae72fbb68bcff1ab4476c2918955f6e71cae3464ed4a1f21dd9a97fa3d9aeb5b2b380c1bcbbe5404d6915871dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinED32.vbs

Filesize
419B

MD5
49a15a226574aeedc8183bd5849773f2

SHA1
206c5e0227fb60184941976083881f356d3aa390

SHA256
ba04ddc5ec196887c5dc480caf77f6a5423be2377a2bf6cf44a97eb8312585bf

SHA512
77723f022db4f172cd83fca1bfd05556a2c6104d01ad443874b3f9fe87bb547441fe0df0d0211664f6077aa14fc9e6f0f2e25e8d4534affb552ea30121f1a17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinF2ED.vbs

Filesize
304B

MD5
19840287aa8819495c6f08a7d449a223

SHA1
5f7e50288ba4e296b6741b10d52553a7893de2a6

SHA256
5655f321127c9aee0cac896ca271cbfd565d4ac662b71b9f9d54677ff274bbb6

SHA512
b7fae229451e467c980db75d9f38f23b69dcb92bc418dffe8d0c344b281f1e1b49972bbb039b6999d86d3ae90de17a0f778e8193dd53db63eab5b3a60f04049b

Download Submit
\Users\Admin\AppData\Local\Temp\92DD238B\_Setup.dll

Filesize
102KB

MD5
e1977b0f63e5e8f99774bbf1208cc2ae

SHA1
b3166733be46d9e1af34e69570ee864e124d0943

SHA256
c8a724380b65cd7c0bf6fad385d95f9e55c146f691570aef881fe6a85827f515

SHA512
12fc661069791050fc0b9f42ccb403a7bf7f73363d84c4ee3d1459828ece9569a0033247fdd3b14969cdb2a7714fe88a54239cf8186f866884e610cebefc2b6c

Download Submit
\Users\Admin\AppData\Local\Temp\92DD238B\_Setupx.dll

Filesize
17KB

MD5
eadbe643b191796334fef30a1eea793c

SHA1
7f2812e4133cf60089f31a6211c2a43cef0056a6

SHA256
4fabbdba8e89e45f109f1d78a12c0554440be8287bd3d697a01c5982c1acca84

SHA512
3e9feaf21b60411e05e5362a065a8f34b1f407803cc8800d26e84060ede779adb5c101921611e80f6a68b986f897bd691ad3d51207527f3591a4d37488617ab3

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu-085C.dll

Filesize
245KB

MD5
3f722c6545511e5482fdcf8f4f4d07ba

SHA1
d777b6cc6f7044853a70c88938a5d5ffd23362e4

SHA256
3fa55e2bcff703f901ee858ee98df979f93ecbdda3f8fad9b45878a06fcf4bd5

SHA512
d9dd26e4e3aa08e0648fafe7d764138f1784638ecb7362f9ea7333bee1d49856244be20040e444d8226b8848e08abc230d60d447826428d359a8d674c188a2a5

Download Submit