c01111a9a1942201fc1f232dda02fe6fff8a5b45db15c9a0117d2ca57776618d

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe
Size

2.9MB
MD5

eab2c4ef336a6d0b7734f8395d767b2f
SHA1

d8841fafdc0ffa1a990ef0ea9903b8be16005b3e
SHA256

c01111a9a1942201fc1f232dda02fe6fff8a5b45db15c9a0117d2ca57776618d
SHA512

9796a874eabc5f2b8b73103aac951f17e029df88704e9e18363a9a2493107975e3c21b05bde8195536e6cb3f2ba2a5e16cc2d92ee812ff2222a2ed46b18fa4c0
SSDEEP

49152:u5GjOuis/5LESr+5RRWYBiCKhSOoSvbJT54QR:ukjOpshK5RkBKeTnR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2292	ISBEW64.exe

Loads dropped DLL 6 IoCs

pid	Process
3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe
3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe
3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe
3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe
3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe
3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2292	3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2292	3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2292	3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2292	3012	eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab2c4ef336a6d0b7734f8395d767b2f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\{50C3260C-ACC7-4297-ACE2-89C1FFE71758}\ISBEW64.exe
  C:\Users\Admin\AppData\Local\Temp\{50C3260C-ACC7-4297-ACE2-89C1FFE71758}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A2CC000-12F3-42D0-854B-145B0C6539DA}
  2⤵
  - Executes dropped EXE
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\skina248.rra

Filesize
23KB

MD5
48435c582b229e89a3cf87d37eef660b

SHA1
49f732627ae3b4eac4ec2042b3e98be1f5747774

SHA256
5f301a9facc4cf15c361f4c81a4f3e2ce6c81cdc3cfe48c9483c16646c469ef6

SHA512
297c1981b9d43e15a912277c239ecb5fca20600523478d158a7c8e45d5858fad7ea2c1ccce45f33df3416239392b56c2bd5f53685369d292335be40e3b189f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50C3260C-ACC7-4297-ACE2-89C1FFE71758}\{3C88E09E-78A2-414C-BAC6-989A0E150F4A}\FontData.ini

Filesize
39B

MD5
00f313e3e007599349a0c4d81c7807c4

SHA1
f0171f15aab836a1979d3833e46b5e59e4ea32e0

SHA256
766ee687d90b0217eb41cb85aca04375bdc24db986a33536631f864b7ce1a08a

SHA512
8bb25a62c0b1640dec36403a493ed54c05f7cde7b7357c8faea785a79c4b76bbe6a3d6fe78db52b558a37abac90c2b2e8b13868a76294554d51670e9fa8764ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50C3260C-ACC7-4297-ACE2-89C1FFE71758}\{3C88E09E-78A2-414C-BAC6-989A0E150F4A}\_IsRes.dll

Filesize
105KB

MD5
a69e2bb59ec31485cedafc867ad68c7c

SHA1
57fcd1b88143cce80219cad89e7d61d95d28f0e8

SHA256
4241b9e99355fb993669477691f5f20ad9337a1e53b99dc8efb1d897e1d9d4e6

SHA512
634a5d217ffc581fb1a701befe112700d449ab5339953cfaf34a909ccf74e94d94f4d1232a3371a630fcfe06867e8f4b2e0b58ba107a2020e3bb8bf5c6109aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50C3260C-ACC7-4297-ACE2-89C1FFE71758}\{3C88E09E-78A2-414C-BAC6-989A0E150F4A}\setup.inx

Filesize
214KB

MD5
5490b8ebce20d2f30117e1a792576c3f

SHA1
47d98b87ea8675ef2105c23153cc9cd1d7b92071

SHA256
3b1fe45584888137a7fdd4bb0762a2575fcc77367fbadf356178767f04de7f0b

SHA512
1ef1d511181b6f00745830b78c1ffabcc5f5f47aeaecca23821ddf3ffc63c307c281b5be34f71cd46c525bf6e2223b30805ab03ae772bb2033e42e00add6642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9BC23AC-5B77-4AA1-8CFB-F21C8FDF3680}\Disk1\data1.hdr

Filesize
10KB

MD5
0510e943a1ccccc1d0ca2b810d9cf6bb

SHA1
66f6bc9d897de468f5eed815aa86701b6c9279ce

SHA256
bf4a80e7e44aead1e5e80b5ead4d7e38ccc5d62d899f4785c457789d636148e3

SHA512
0bfef4b43800d8a66484d5f91844264e7b34d8dd33aff04827ccd891d54d613a1980ce2ab9348fb10451bf4352e4cc6e330c1ae828902246a6325f8ee4b5b719

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9BC23AC-5B77-4AA1-8CFB-F21C8FDF3680}\Disk1\setup.exe

Filesize
369KB

MD5
2ff85d16ad8c0e1fc2ade38b354945c2

SHA1
e9afefcdab22f372844965da6a6a9433e369fafa

SHA256
fe9c68efe364e7665b16d1dc20487f3606161f9a3b8e4635d96b8c746112d5ae

SHA512
2afbf7884eea9ae9431d8d81e71e85efc234dd68fe268f7519c809f0c466c0296df4318b3a621f643cc3ef2303529f38acf5f49425017e47e91fcd48298210c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9BC23AC-5B77-4AA1-8CFB-F21C8FDF3680}\Disk1\setup.isn

Filesize
51KB

MD5
60f54893b6dda691b5bcb9dcc28d7e50

SHA1
aefc394a68a286acece1ea531a784e0627ecfd6a

SHA256
302013cfc50318fb0d03f8938047b29c3012bd60684cef0b26544f6bf5b05355

SHA512
5134267a7df3a86a1960eff76d555df73efa0b017dbb8e94a217ffe630b8704558601f896e2294931f3014c62e0c0514f8d213d1cac8cd3fcd7f45b56ab1c176

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9BC23AC-5B77-4AA1-8CFB-F21C8FDF3680}\setup.ini

Filesize
501B

MD5
7b4056a2dd3a798731c775a53835ba18

SHA1
2e8de45aa3ac1d351ff720cdd414fbd4f8304ad4

SHA256
1f27b456692e6262da3d7d35a6ef71d852654a241387f8e663e70c34538fadc2

SHA512
c5eb7d84f74b2f900d766606792e9cc86966340b434f55c791931a829c341ecda346b9acbdf7bda2c42614319522a68822d4bb66100ac81aad776da2a0b27517

Download Submit
\Users\Admin\AppData\Local\Temp\{50C3260C-ACC7-4297-ACE2-89C1FFE71758}\ISBEW64.exe

Filesize
117KB

MD5
8407fc98ee367ccb196894f7cd218792

SHA1
6f280cf374fba172426b8912170b5cbafe3d88cd

SHA256
e1890e4ef7fe9c2242e1fa65da8162687c893d1a025fef254b827940d03a0d5a

SHA512
5850b48b374cb243d6eacf011f11e31050ff04118939424804a62e52da335cea6a7ea8dc363d49895ea29929b518c69dccc8320074693e7b50540580d477956c

Download Submit
\Users\Admin\AppData\Local\Temp\{50C3260C-ACC7-4297-ACE2-89C1FFE71758}\{3C88E09E-78A2-414C-BAC6-989A0E150F4A}\isrt.dll

Filesize
216KB

MD5
77a3125a2059f39a9bef961953a8db8d

SHA1
2ffb52f60c570d1d73caab095f3784dc8454e5e6

SHA256
d6cd68fa4468878d8bc045ea518235f7c6cbebbd525486ddcec7d1069d83f119

SHA512
00863cb19420f4764ab0f71ae0d788e22ad340d9f7aa074bda2f8fd8317012567e46335802fdfc800f671c22c1e74618819613c4adb6adeeaa2e74cd66401605

Download Submit
\Users\Admin\AppData\Local\Temp\{E9BC23AC-5B77-4AA1-8CFB-F21C8FDF3680}\Disk1\ISSetup.dll

Filesize
528KB

MD5
1781d48e2d9260190edf4b6a51cf6225

SHA1
c0271b77d02e57476d4d58af9a6d78acde5df4dc

SHA256
938405be0bcf1ca068e5526e63c2f191883d4a65b13481f864f61c35f3a572ab

SHA512
cc709867a6f9022cb9224eeeb325ebc64387089311bc4ce031733070dabbb69ed034afd04cd4bac0b3aaea15c3f2155c3e617425393666ebbe8872146abdfe17

Download Submit
\Users\Admin\AppData\Local\Temp\{E9BC23AC-5B77-4AA1-8CFB-F21C8FDF3680}\_Setup.dll

Filesize
144KB

MD5
3dc409b6d3a7b4c92fc37170f151e1e7

SHA1
3a5c0d31309362324fd7e2e674a1889281285024

SHA256
75e47f77c53886685af557867d6e551091b5a1a4c2354f9bf01932802580c9ac

SHA512
ec601dccbf44984ea40aa1152821d0224696a935d15c7f6c79e341577bdd571c5fbc6c496529aee6b6a0e25284b275a1d00e01851c9319ab267cc4cda4a7a22d

Download Submit
memory/3012-4744-0x0000000004700000-0x0000000004765000-memory.dmp

Filesize
404KB

Download
memory/3012-4752-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/3012-4728-0x0000000004380000-0x0000000004407000-memory.dmp

Filesize
540KB

Download
memory/3012-24-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/3012-21-0x00000000023C0000-0x0000000002551000-memory.dmp

Filesize
1.6MB

Download
memory/3012-4729-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/3012-9402-0x0000000004700000-0x0000000004765000-memory.dmp

Filesize
404KB

Download
memory/3012-9401-0x0000000004380000-0x0000000004407000-memory.dmp

Filesize
540KB

Download
memory/3012-9400-0x00000000023C0000-0x0000000002551000-memory.dmp

Filesize
1.6MB

Download