c1b9b1498e94a595398cae77c2e50bf8023e9ea02f3b3803899a9fb4aeabce75

Analysis

max time kernel
109s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
Size

13KB
MD5

eed7798904fbbe0f10b9223717cafb5c
SHA1

31d089d550247b0d0eb35cae03c3f555a1d0b1d3
SHA256

c1b9b1498e94a595398cae77c2e50bf8023e9ea02f3b3803899a9fb4aeabce75
SHA512

d048d5365be15352afb203f21f09dc2f93a3daae53f3f39c416f593a190956e1950d8771f27731fa6a075743e0eec753f2c0c78e4f6918b434b7f31c432c24d2
SSDEEP

384:ZGllOAPM0JVfZvTAesNcmZvg4VMTv2pkHRLOk:gHl0qFZKcmZg4VaMgRSk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\abvstklg.dll = "{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}"	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\abvstklg.tmp	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\abvstklg.tmp	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\abvstklg.nls	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ThreadingModel = "Apartment"	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ = "C:\\Windows\\SysWow64\\abvstklg.dll"	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 3120	3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe	90
PID 3772 wrote to memory of 3120	3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe	90
PID 3772 wrote to memory of 3120	3772	eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eed7798904fbbe0f10b9223717cafb5c_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1613.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1613.tmp.bat

Filesize
207B

MD5
cad0370ee3feed36f167a063a9552d8c

SHA1
03a354566ca477af3c247a038f401408835affde

SHA256
b32ba1bdcd5c377a2c4d8fcbdb8f5e2c704f5e09bc34aa058228aac78cc334ff

SHA512
81f519ab87b4b2e54a9358de61b549cfe885a48d1111279d9b99097084bd8c560421983b2ca8d54b2b749ce4a7936e5797f49ba088759fab475c7294a877fd00

Download Submit
C:\Windows\SysWOW64\abvstklg.tmp

Filesize
2.1MB

MD5
081af27f1b32c0686713f4ed4c691998

SHA1
0e7dab914908bb80ee09bd61199da0eb1dc8968c

SHA256
c929afe44a1bfdf075c57e101154f48bafaafaa9d94f03934bcff4401fec5a19

SHA512
a9fa9c4c536efec6fe50f06ef3999df89bb694f3097db194fb93baced70069f5d3dfcbe3a2edd5686e2830eb84fb929dacf209827e5a1580bddf934a55becdb3

Download Submit
memory/3772-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3772-18-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download