40454a82584fc45df3a35e62211379963ccd410bfdcd441e4037ce33f2335916

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe
Size

554KB
MD5

f9a031e42b8a3d989ee4e4a0ca66b163
SHA1

4bf762987ba161f796c7424257e205ef910424f2
SHA256

40454a82584fc45df3a35e62211379963ccd410bfdcd441e4037ce33f2335916
SHA512

3d3a952706fa0ea8787c91827f109013f00e1fd7b803424893f96b51b572bd5c18b71559410d71c90cc5fe5a093e28bc414fb7162c02a0062233a9a8ede5929c
SSDEEP

12288:w+8mS3Kb4F4yC1uZX7h7chL32v+P6wCoo3QWMprCsOD:wxmSdF4BwLh7c4O6fZQJgsOD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	_bbg.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe
2820	_bbg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_bbg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2820	_bbg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2820	1688	f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2820	1688	f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2820	1688	f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2820	1688	f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9a031e42b8a3d989ee4e4a0ca66b163_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe
  C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe /sfxv:3.1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx1\_bbg.exe

Filesize
692KB

MD5
fa8c1c8a8b814b2368605ad7e79cf60a

SHA1
00ef088f81f1fb03b2fb23f9826bfd191a270ecf

SHA256
b395c1c0081364250c627497e860e41ef633c0f120b42c9c8772bfb513fbd276

SHA512
46d78333ecc01fe74ae3b0ae7b68ed471b31e3fb9f818ed38ae48ce946403935a4906db566ce96a71d4b1a4ac2b4c5182458ff5058b5925bf47df1fce18bf025

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfx1\BB40eng.dix

Filesize
46KB

MD5
627d9a33b0ee18c24296c123f610c629

SHA1
028c3c27c66a45eff872846778866e065b791291

SHA256
6c684ad8912a35c8794dd23473f6242d53cfc8b2c1d912ac91f1ac833d22cfeb

SHA512
c3a61272a2473eb6a381d8ca2832c76af4be6208b9c904de57de062f5805741b1fd62289fe8881236ca7d11250f92c0c2dc3052ac40b78275104b8b97fbd83a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfx1\gdipacc.dll

Filesize
64KB

MD5
b7b8e101bc56b050848ba21e221a205c

SHA1
f3efe9242f2496e4599e7eec918d3785a5ab20fd

SHA256
3be01c57596a8319ef663fac85587836fe2236590326236ddf888ccc8a458082

SHA512
af5aa06a9eca3a14282d457dc6dedf1cc03331931b6c3f13e5e20aecec30923e7e61647de4cd6faa7ed6a5f1e27c2f83d18fe372c055b2412dec17f2f8cd10ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfx1\tex_def.jpg

Filesize
2KB

MD5
350c1e05a15b539a7c32740eb1970ac6

SHA1
4d5c36af3617a657765318fe12050ed5b42dd1fd

SHA256
a2c256d1b02cfd9889b62030c9c87fc15593881f88aaa08d5efa190c7fb14011

SHA512
3d158f25e02a0362fa18ce88124d05a95f228aed9679af4a395c8ac615424d9b765bfa325c10e47132f84c7b2bf0808282b38556da271fa6f17877fe9f9e37d5

Download Submit
\??\c:\users\admin\appdata\local\temp\sfx1\bbgift.puz

Filesize
91KB

MD5
a8957db4be5a32f50981cc0b3d991882

SHA1
6f2ca84181c4141dedad7cf59c9fa288c0df17a5

SHA256
db8f50380607e4ba7fef38e88c32a4290f2762563a9414049aebbb5b3436a21a

SHA512
9b650464049838af0fb0b456130f1e8a8ae9450c67687a467dea350c0fd8c1697bcef97c95509ca2eb1831ddc6f21d2c2a08803e00485bf9a9cbff75e4b8f0d2

Download Submit