fc2a6c11c9d7e8c1f8c110fa3017b270bdbe18897e1f57dbb99e02901fd8817b

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
Size

274KB
MD5

ea90a97f0b445be31e6a432f00fb81a4
SHA1

d8dca93ed0f107117f1693caab980c934ec13bcd
SHA256

fc2a6c11c9d7e8c1f8c110fa3017b270bdbe18897e1f57dbb99e02901fd8817b
SHA512

6fbb3f978c36c667e99f9c7f75c800a22d9e537e6adf45ba72f40f5c9e46811f4276c1a37ce72f284ab5900af65a59fcb401c5f65db9c0093a874640daa2271e
SSDEEP

6144:Jvyo/9AbHITqCFLQ/Z3XHndmz+m06RcNLpf/vzX:JvyASHgFs1dmzfwNLF/v

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
Token: SeDebugPrivilege	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	832	svchost.exe
Token: SeIncreaseQuotaPrivilege	832	svchost.exe
Token: SeSecurityPrivilege	832	svchost.exe
Token: SeTakeOwnershipPrivilege	832	svchost.exe
Token: SeLoadDriverPrivilege	832	svchost.exe
Token: SeSystemtimePrivilege	832	svchost.exe
Token: SeBackupPrivilege	832	svchost.exe
Token: SeRestorePrivilege	832	svchost.exe
Token: SeShutdownPrivilege	832	svchost.exe
Token: SeSystemEnvironmentPrivilege	832	svchost.exe
Token: SeUndockPrivilege	832	svchost.exe
Token: SeManageVolumePrivilege	832	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1192	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe	21
PID 2068 wrote to memory of 332	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe	2
PID 2068 wrote to memory of 2688	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2688	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2688	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2688	2068	ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe	30
PID 332 wrote to memory of 2752	332	csrss.exe	31
PID 332 wrote to memory of 2752	332	csrss.exe	31
PID 332 wrote to memory of 832	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea90a97f0b445be31e6a432f00fb81a4_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
d1c9e07123216e8836e7988794cd3c75

SHA1
a1061c34544c9377449e186074404e0dd1009994

SHA256
334bd46d5f3ba098c11827982715c0ff98e2aa1c2361b9702b222949e7e5730c

SHA512
06014da3030fa66fbf64f9dd0c9c229390c93dedcb2c6f53aff810a7d0054c05c514804ea9dbae3d6ec1f13b45b4dd844a7e1ec1706e5a7ae16be8e8a760898b

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
70eebaebd1a7e5c2bf4bf24d5ed3f545

SHA1
bc39c18fe831b83515f791ebcea97c23a3f97f11

SHA256
04b23b028ea086bb5a1a36274ea20ecba9f5252b1233bff61fdbc0aba1d37046

SHA512
38c701acfbe4fc0f8a8a5d1ac054085bff7c2612694ce16836bf46416edd032400c4a54bded8fd2bccefbb445419c806ca63ae485d9915ae564d40b3d694b684

Download Submit
memory/332-17-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/332-24-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/332-20-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/332-19-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/832-31-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/832-27-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/832-38-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/832-26-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/832-36-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/832-35-0x0000000000310000-0x000000000031B000-memory.dmp

Filesize
44KB

Download
memory/1192-12-0x0000000002140000-0x0000000002142000-memory.dmp

Filesize
8KB

Download
memory/1192-3-0x0000000002170000-0x0000000002176000-memory.dmp

Filesize
24KB

Download
memory/1192-11-0x0000000002170000-0x0000000002176000-memory.dmp

Filesize
24KB

Download
memory/1192-7-0x0000000002170000-0x0000000002176000-memory.dmp

Filesize
24KB

Download
memory/2068-2-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2068-22-0x0000000000400000-0x0000000000447FB0-memory.dmp

Filesize
287KB

Download
memory/2068-0-0x0000000000400000-0x0000000000447FB0-memory.dmp

Filesize
287KB

Download
memory/2068-1-0x0000000001F30000-0x000000000233E000-memory.dmp

Filesize
4.1MB

Download