3be597965c9479a6588a274af460f39c1066a33457b1639fe74454d958b9e9d9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe
Size

36KB
MD5

ead1707e3c6e1950ce46f36240d4c80c
SHA1

59b312ad53f2fa2a01253cd7f730d532d56e6113
SHA256

3be597965c9479a6588a274af460f39c1066a33457b1639fe74454d958b9e9d9
SHA512

9a2dea67234a50a69441682bb905549e60b1bfae5913cdd25726153d6454cf6000d3519097a54876c4eb89f7f2b796ecdbbcb5313777cc5797de18dbee9f3cb3
SSDEEP

768:Q2gpFmvbXimSBlWRVJqYOF6dXm3jI3bOHfO:qKiYAF65m3jpO

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2912	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2808	1448	ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2808	1448	ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2808	1448	ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2808	1448	ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2160	2808	cmd.exe	32
PID 2808 wrote to memory of 2160	2808	cmd.exe	32
PID 2808 wrote to memory of 2160	2808	cmd.exe	32
PID 2808 wrote to memory of 2160	2808	cmd.exe	32
PID 2160 wrote to memory of 1716	2160	WScript.exe	33
PID 2160 wrote to memory of 1716	2160	WScript.exe	33
PID 2160 wrote to memory of 1716	2160	WScript.exe	33
PID 2160 wrote to memory of 1716	2160	WScript.exe	33
PID 1716 wrote to memory of 1152	1716	cmd.exe	35
PID 1716 wrote to memory of 1152	1716	cmd.exe	35
PID 1716 wrote to memory of 1152	1716	cmd.exe	35
PID 1716 wrote to memory of 1152	1716	cmd.exe	35
PID 1152 wrote to memory of 2064	1152	net.exe	36
PID 1152 wrote to memory of 2064	1152	net.exe	36
PID 1152 wrote to memory of 2064	1152	net.exe	36
PID 1152 wrote to memory of 2064	1152	net.exe	36
PID 1716 wrote to memory of 1984	1716	cmd.exe	37
PID 1716 wrote to memory of 1984	1716	cmd.exe	37
PID 1716 wrote to memory of 1984	1716	cmd.exe	37
PID 1716 wrote to memory of 1984	1716	cmd.exe	37
PID 1716 wrote to memory of 2912	1716	cmd.exe	38
PID 1716 wrote to memory of 2912	1716	cmd.exe	38
PID 1716 wrote to memory of 2912	1716	cmd.exe	38
PID 1716 wrote to memory of 2912	1716	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead1707e3c6e1950ce46f36240d4c80c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\A2E.tmp\´©Âí½Å±¾mcsql.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ghost.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Ghost.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\net.exe
        
        net stop sharedaccess
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
    - - C:\Windows\SysWOW64\ftp.exe
        
        ftp -s:Ghost.sys
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A2E.tmp\´©Âí½Å±¾mcsql.bat

Filesize
631B

MD5
3f33469ba45d09596a2de349f8fad53b

SHA1
0312f4cf13ad712dcda27d8c4bd84588e0970796

SHA256
9685deafe8c4fa5e193414455663920a94c9fa14de48b6c7b678e011bbd76d23

SHA512
8fbd9d922711a5a788318306d67038a26aefc9ae408eb833cd58013b99856d8c27850c995c29b99f78483af6d49fd2c2b5ec93b370b156a6699032ff533028db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghost.bat

Filesize
146B

MD5
e711502dd207a2cb853687e2d7c2ab9d

SHA1
6940d46f67566e0a0a79f2cdafc4d395ea893618

SHA256
80615f9e19c2418410cd31613e0d5f5458b352526740cde753800172f8e7c2a4

SHA512
d8681ae5b91b2718529eb2a25fcc7239bab5e3dd3bbac51f9fd7144c061e1ca227a98c23d9f46fe4c61fe3d27704492e4fee81bcc08376e83186cbd4d66e024f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghost.sys

Filesize
56B

MD5
b838525f20b9008e6c4ba1a8f7ad55bd

SHA1
ccc513c0aebfbf1c53b87d2271b07711d8514305

SHA256
c2d7bf39317ac56b0312a67977d76c626bfa9792fcce3e7f517a61b0cc60b5d6

SHA512
680a0fc2a436b8f573d9099b6844ba316de3703dc5646f66a20ae6f56aeab3e49250bd0dca02e6bb7aefc351bd57355365b60c83fcea05ec01a0aa22e1409634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghost.vbs

Filesize
148B

MD5
abc6b3b2a07ea3f8ded9a2438715aff1

SHA1
f6152501ffad2dd864d8308226e13f1f64c29374

SHA256
7a14f2bfc22c838b133d3b8ecdcd4a8f8a3fdad1da7b74affb1e5dd61592ab21

SHA512
070222694abbf65cc44bac817fdfd932f84a9c70605525b5e57583e70ade6da599274aa609f09c1cca1cc06433166af42ae9a18287ecc5ebbf167e6b16ab9844

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads