94ff15373e9f0f81daa8f1c85d7deacc13e921c44962907ba30b15a335e2e9ce

Analysis

max time kernel
143s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe
Size

552KB
MD5

eaa5600a564f9be87047c4f5276d7cc9
SHA1

9a8f9921c4da2e48f1498e3043382035671c5a48
SHA256

94ff15373e9f0f81daa8f1c85d7deacc13e921c44962907ba30b15a335e2e9ce
SHA512

41883b666f47227071c090aa3ba2248df84d810ae65cc9b1b20824510b49cd9bb723c081717d029f2407c19d4d7f3598740f4e40e487a9f18697f8f92e3faa3c
SSDEEP

12288:5fH2pohMieQkyrKD7yyTwhVbsO3HnGTHx7:FWWNvkya750LHGT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
316	360

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\360	eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe
File opened for modification	C:\Windows\360	eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	360

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 1472	4708	eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe	86
PID 4708 wrote to memory of 1472	4708	eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe	86
PID 4708 wrote to memory of 1472	4708	eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe	86
PID 316 wrote to memory of 2552	316	360	85
PID 316 wrote to memory of 2552	316	360	85
PID 316 wrote to memory of 2552	316	360	85

C:\Users\Admin\AppData\Local\Temp\eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaa5600a564f9be87047c4f5276d7cc9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8150.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472

C:\Windows\360
C:\Windows\360
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 123
  2⤵
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8150.bat

Filesize
226B

MD5
7e326c82deb39414de84a95a5083c4f6

SHA1
f8dc9328bb7782532b4c2636a324dc1e59878bca

SHA256
d7fdd16e16c83a65d97be245d7b4b82e15d9bd25626c8206136a88ae692f326c

SHA512
ad24db01bd90a4ccef95f77f37dccd4790de665814719c5ba7a45bdc8e8518937c45b06cfa720a0c7aa510649b803f581e028ac296e91c327fc570cb8489af45

Download Submit
C:\Windows\360

Filesize
552KB

MD5
eaa5600a564f9be87047c4f5276d7cc9

SHA1
9a8f9921c4da2e48f1498e3043382035671c5a48

SHA256
94ff15373e9f0f81daa8f1c85d7deacc13e921c44962907ba30b15a335e2e9ce

SHA512
41883b666f47227071c090aa3ba2248df84d810ae65cc9b1b20824510b49cd9bb723c081717d029f2407c19d4d7f3598740f4e40e487a9f18697f8f92e3faa3c

Download Submit
memory/316-6-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/316-11-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/316-12-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/316-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/316-19-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/316-23-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4708-0-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4708-9-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download