59eecb904ac21ae186f49bf7062cb10cacc9a9ea07c1e4b7664ecc85e63d9c99

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe
Size

39KB
MD5

ea9dc84fabfa751fc1880b3a53c1c468
SHA1

1b8fe3c2ebbde76f498350c8a4351dae4f9a2675
SHA256

59eecb904ac21ae186f49bf7062cb10cacc9a9ea07c1e4b7664ecc85e63d9c99
SHA512

1f10aa519ec63c46e123b5bc23b5097a3d13e9dfea62bfc1251a946da0cda7587797aa3a04d7ffb32ed1e9e0bc58ab9bdc0adee7a1f6dd3e72a11f2b1f66fafe
SSDEEP

768:PGZJgZtuHE1svhDPevwjVE/Xsbzt1BGcV:PCgZSE1sV/xE/Gt1z

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2360	reg.exe
2760	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3052	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	30
PID 2108 wrote to memory of 3052	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	30
PID 2108 wrote to memory of 3052	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	30
PID 2108 wrote to memory of 3052	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	30
PID 2108 wrote to memory of 3052	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	30
PID 2108 wrote to memory of 3052	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	30
PID 2108 wrote to memory of 3052	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	30
PID 2108 wrote to memory of 3064	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	31
PID 2108 wrote to memory of 3064	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	31
PID 2108 wrote to memory of 3064	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	31
PID 2108 wrote to memory of 3064	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	31
PID 2108 wrote to memory of 3064	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	31
PID 2108 wrote to memory of 3064	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	31
PID 2108 wrote to memory of 3064	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	31
PID 2108 wrote to memory of 2992	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2992	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2992	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2992	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2992	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2992	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	33
PID 2108 wrote to memory of 2992	2108	ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe	33
PID 2992 wrote to memory of 1480	2992	cmd.exe	36
PID 2992 wrote to memory of 1480	2992	cmd.exe	36
PID 2992 wrote to memory of 1480	2992	cmd.exe	36
PID 2992 wrote to memory of 1480	2992	cmd.exe	36
PID 2992 wrote to memory of 1480	2992	cmd.exe	36
PID 2992 wrote to memory of 1480	2992	cmd.exe	36
PID 2992 wrote to memory of 1480	2992	cmd.exe	36
PID 3064 wrote to memory of 2360	3064	cmd.exe	37
PID 3064 wrote to memory of 2360	3064	cmd.exe	37
PID 3064 wrote to memory of 2360	3064	cmd.exe	37
PID 3064 wrote to memory of 2360	3064	cmd.exe	37
PID 3064 wrote to memory of 2360	3064	cmd.exe	37
PID 3064 wrote to memory of 2360	3064	cmd.exe	37
PID 3064 wrote to memory of 2360	3064	cmd.exe	37
PID 3052 wrote to memory of 2760	3052	cmd.exe	38
PID 3052 wrote to memory of 2760	3052	cmd.exe	38
PID 3052 wrote to memory of 2760	3052	cmd.exe	38
PID 3052 wrote to memory of 2760	3052	cmd.exe	38
PID 3052 wrote to memory of 2760	3052	cmd.exe	38
PID 3052 wrote to memory of 2760	3052	cmd.exe	38
PID 3052 wrote to memory of 2760	3052	cmd.exe	38
PID 2992 wrote to memory of 2748	2992	cmd.exe	39
PID 2992 wrote to memory of 2748	2992	cmd.exe	39
PID 2992 wrote to memory of 2748	2992	cmd.exe	39
PID 2992 wrote to memory of 2748	2992	cmd.exe	39
PID 2992 wrote to memory of 2748	2992	cmd.exe	39
PID 2992 wrote to memory of 2748	2992	cmd.exe	39
PID 2992 wrote to memory of 2748	2992	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea9dc84fabfa751fc1880b3a53c1c468_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "EnableFirewall" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "EnableFirewall" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile /v "EnableFirewall" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile /v "EnableFirewall" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c gurl.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows\currentversion\windowsupdate\auto Update" /v AUOptions /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\software\microsoft\windows\currentversion\windowsupdate\auto Update" /v AUState /t REG_DWORD /d 7 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gurl.bat

Filesize
259B

MD5
a72d657c94e625c23d8d54c2003f0ce8

SHA1
c0b0444dc64bf8e0c5c079b8ecd527776c0250e4

SHA256
c5f7992d49d7e9b89e3e6418a4bc62530c7c9fd9dbcc040b80fe1df0acce0009

SHA512
c0c6eeda8d981aa75842481d49c74c0fec03f6ec0bc9c554d0243d79adf355b01e3c829862e995c68c8646ed4ca6c47d3a3df6f4175e578930a7dd8fdaec1e8b

Download Submit
memory/2108-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2108-1-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2108-2-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2108-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads