242471ec1da5471ffa56e36746b9b700b79c63540a1c815194d302d9e1b36972

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe
Size

169KB
MD5

ebb99f5ea3e1923c00d38af4e0e48bce
SHA1

bfcaf6c3f8f9343f5d7f4669eb6a0d61b26aca34
SHA256

242471ec1da5471ffa56e36746b9b700b79c63540a1c815194d302d9e1b36972
SHA512

e80c4ea9c84fcd70d79b9ae3d06cab8be639966816d1a94775416318fc817de6c35ddf7dcd75971daf6954dc6d5235e2336702ff3306a897655ad88c268e856d
SSDEEP

3072:pH+hD8ZLCczh+3tHNkkduG9rlukt0qTtgudCq+QQOU+kwOg4eGnOE2Qk7YAOZ:5FMMGDxuK0qZjCTAXH4eGnU+BZ

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3024	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3024	2180	ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe	31
PID 2180 wrote to memory of 3024	2180	ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe	31
PID 2180 wrote to memory of 3024	2180	ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe	31
PID 2180 wrote to memory of 3024	2180	ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebb99f5ea3e1923c00d38af4e0e48bce_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -f -im ashMaiSv.exe -im McShield.exe -im oasclnt.exe -im mcagent.exe -im McVSEscn.exe -im mcvsftsn.exe -im Mcdetect.exe -im McTskshd.exe -im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2180-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-10-0x0000000075F40000-0x0000000075F41000-memory.dmp

Filesize
4KB

Download
memory/2180-11-0x0000000075F30000-0x0000000076020000-memory.dmp

Filesize
960KB

Download
memory/2180-12-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-13-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-14-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-16-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/2180-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2180-19-0x0000000075F30000-0x0000000076020000-memory.dmp

Filesize
960KB

Download