e017d61cb83a1ab834b48e5c5e4b4859eb132f9967f6a728b42e737b89cb4efd

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe
Size

1.2MB
MD5

eb2c576f51ed1aa2c4a10fe083f9d138
SHA1

21741a178128457ae6d3b25ee90c57fbc8bd39c8
SHA256

e017d61cb83a1ab834b48e5c5e4b4859eb132f9967f6a728b42e737b89cb4efd
SHA512

c68419d51e3f213064b9b7ec7e29433bf06e64ee0a42cfb3067c8d81c9244beffc92f23002aad3234ffdf2eafa7cbb7a2e86e03d4eb6ecbce4cc02179837b00c
SSDEEP

24576:cBBtTMdOF2lXnTP7+grzHefaWidHM13XA6UUMHKEMTarnwiUq+kRDg5YQ:cBXTWlXnnzH4aWidsNA6UFldrmqFRg5D

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3000	MM11.1.exe
2808	Ò²ÏëÊÔÊÔ.exe

Loads dropped DLL 4 IoCs

pid	Process
2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe
2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe
2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe
2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ò²ÏëÊÔÊÔ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MM11.1.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe
3000	MM11.1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2808	Ò²ÏëÊÔÊÔ.exe
2808	Ò²ÏëÊÔÊÔ.exe
2808	Ò²ÏëÊÔÊÔ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3000	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	30
PID 2776 wrote to memory of 3000	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	30
PID 2776 wrote to memory of 3000	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	30
PID 2776 wrote to memory of 3000	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2808	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2808	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2808	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	31
PID 2776 wrote to memory of 2808	2776	eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb2c576f51ed1aa2c4a10fe083f9d138_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\Temp\MM11.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\MM11.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\Temp\Ò²ÏëÊÔÊÔ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\Ò²ÏëÊÔÊÔ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\Ò²ÏëÊÔÊÔ.exe

Filesize
1.4MB

MD5
74a744a1c3bbb516e18f3820de91064c

SHA1
22026bf34f66301e5e2c5a8d7300cd9e2b941b5a

SHA256
c4faade71cd4648ef8ede530be21cc19f2b606f5d290c51a66a23f65aae1fbf6

SHA512
b43b78c467fc1b40eb082ca835fd83eceb34d3bd4b5697befa01a8ab1a9320b973b2c46d65eb78404823a1af7cf912238619e55f5836d1685f64d2602ff410bb

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\MM11.1.exe

Filesize
192KB

MD5
8cd5e84bb31907c342a8705d6d819a17

SHA1
516ff7c1d00718c0546799ea83ef7b465695d174

SHA256
ee3607f573bef2cd857deb267f85808c68aeb946ea1bcda4439d1e0596bb427f

SHA512
0476e200416ca14855856559111bc30d1261fbf442d3fa7c3fec90f932754b173de9f0bb7b3798c0f4426eae39c11e73de6a9893b74f5ace0d0c229803b403b9

Download Submit