9281193e4502ea5231e4c5be6a987378fdf7010c72f880a5fc9940376b439d39

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe
Size

1.1MB
MD5

fab8dddc51857b7701e3bd31b85cdd65
SHA1

42eb5e91e45a0d00b159e8b2770a53d3d25be380
SHA256

9281193e4502ea5231e4c5be6a987378fdf7010c72f880a5fc9940376b439d39
SHA512

a949eb49972d1a6a4491c8091a24ac8481753ff11d90d892a16092a094740cb3f80aa0d162464569e3403e43037c1437ab558a0c70bc508517719029e5afb2f2
SSDEEP

24576:edxgKkMgS6G02uolau32IJIZ3cRd5Pt02sFl:IkK6GDuolg9cRd5P/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1652	Music.exe
2884	CSHack 2.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSHack 2.0.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe
2884	CSHack 2.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	CSHack 2.0.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1652	1352	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	30
PID 1352 wrote to memory of 1652	1352	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	30
PID 1352 wrote to memory of 1652	1352	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	30
PID 1352 wrote to memory of 2884	1352	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	31
PID 1352 wrote to memory of 2884	1352	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	31
PID 1352 wrote to memory of 2884	1352	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	31
PID 1352 wrote to memory of 2884	1352	fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fab8dddc51857b7701e3bd31b85cdd65_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\Music.exe
  "C:\Users\Admin\AppData\Local\Temp\Music.exe"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\CSHack 2.0.exe
  "C:\Users\Admin\AppData\Local\Temp\CSHack 2.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSHack 2.0.exe

Filesize
815KB

MD5
02c71941c205f1603ca8afffac3583a0

SHA1
cb2a085247392ea4eb834ab27d0e076fe67172b1

SHA256
6aeb26d964cae3779f94571ee1bd6b336c2efa023e93194f9817560c470ca426

SHA512
299db5c8f0d3fb3f74c093ae3a71e7c32b0598af0d461ea4f6e9b22edb581d4cb814803156c595806d4ecdf078cb2bb4040392f60f3547c3f8a022be2770b616

Download Submit
C:\Users\Admin\AppData\Local\Temp\Music.exe

Filesize
15KB

MD5
0f487895395e75d1a493d1bdb3bc4852

SHA1
1c3ebc0233007e746a195769c927d6748cabe9f9

SHA256
d225db7c5c95612d4dbc013de1800bb415e11051d5109be0b7beacccc9da1a72

SHA512
9e26b03947982910e02f11b23ccb52f1549a32c2dcd7c3c26fae034a9e0d4f6882b49b6d7a144083d9dfaf8a95b0ab7a6b5632b262a9406b545718dd4ea66a0b

Download Submit
memory/1352-0-0x000007FEF656E000-0x000007FEF656F000-memory.dmp

Filesize
4KB

Download
memory/1352-15-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-16-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-18-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-17-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1652-19-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-20-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2884-22-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download