0ab02b2dc4b7cead835754f0d2950cc11d9298660c596c6ea72cb4daba5d0dcc

Analysis

max time kernel
146s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe
Size

6.7MB
MD5

eed3cf09db68cd3281bd72eb9eab5285
SHA1

7e994a05fb1890ff779a02ccd8e54d6397246317
SHA256

0ab02b2dc4b7cead835754f0d2950cc11d9298660c596c6ea72cb4daba5d0dcc
SHA512

1f0195ed6af484ccf2a576fdeceb5884b8beac1db50b02916e4285275f0f7b80d8a4be1e24c973c42e80bbeeb139fc51e8629f51e90ecc1e239aaaf8075e60dd
SSDEEP

768:ToyzZ7iG6u4PtaGhgJ+VqQtKHPsd7MZe8PTSaSftJUJmJ1Ltpgtexlr:97JcaGhWSFKsd7MZe8POHfn/pga

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2660	KB416588.EXE

Loads dropped DLL 2 IoCs

pid	Process
2232	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe
2232	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRAM FILES\WINDOWSUPDATE\KB416588.EXE	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\WINDOWSUPDATE\KB416588.EXE	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KB416588.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2660	2232	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2660	2232	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2660	2232	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2660	2232	eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2556	2660	KB416588.EXE	31
PID 2660 wrote to memory of 2556	2660	KB416588.EXE	31
PID 2660 wrote to memory of 2556	2660	KB416588.EXE	31
PID 2660 wrote to memory of 2556	2660	KB416588.EXE	31

C:\Users\Admin\AppData\Local\Temp\eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eed3cf09db68cd3281bd72eb9eab5285_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\PROGRAM FILES\WINDOWSUPDATE\KB416588.EXE
  "C:\PROGRAM FILES\WINDOWSUPDATE\KB416588.EXE" C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\EED3CF09DB68CD3281BD72EB9EAB5285_JAFFACAKES118.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C /Q del C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\EED3CF09DB68CD3281BD72EB9EAB5285_JAFFACAKES118.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WINDOWSUPDATE\KB416588.EXE

Filesize
16.1MB

MD5
69436eb730e72f49662f2ba929a9a1be

SHA1
70c2b26f32ae2c17b67601a4af752a28e8f646c7

SHA256
2af855e8c495bd328d7e15277a63bfeb87a7f2ea44c7bebde0f06456c0ecf7d5

SHA512
8fd9f8836ad409233f9344acb4b03657485816ff087c1c4f38fc13b53080d6152a8b3238f2f500a23e187a930f58753adf48a7934604e1e55b5d1e64f8f67e8c

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2232-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2232-9-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2232-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2232-14-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2660-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2660-18-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2660-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download