e61c9189aea6fbf278c49d7dab83e2f56ca70ef9575ebdf0691b17a4a9e60a7e

Analysis

max time kernel
139s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
Size

196KB
MD5

fd4999bcbfefb6ffa8d77842646cc473
SHA1

818fa98cf7f00787c2c1910df9d690b4f4cb919f
SHA256

e61c9189aea6fbf278c49d7dab83e2f56ca70ef9575ebdf0691b17a4a9e60a7e
SHA512

2fa9292f69eface3439fe1ce6c621bf3c56cce77a9f723f8891d2d9a736553b2022d0bc86ea832de2ecb232718464b2080ea975c497ab681c9527afc8b970c03
SSDEEP

6144:8u3QelyRW3UX3Z6etibRIP9tlnDZG1xYWhNO8NOqGAkh:8UvuW32Z61dGhZafXNOFAkh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
332	csrss.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64
Destination IP	94.242.250.64

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2716	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
332	csrss.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1124	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	20
PID 2684 wrote to memory of 332	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	2
PID 332 wrote to memory of 2752	332	csrss.exe	30
PID 332 wrote to memory of 2752	332	csrss.exe	30
PID 2684 wrote to memory of 2716	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2716	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2716	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2716	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2716	2684	fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe	31
PID 332 wrote to memory of 852	332	csrss.exe	13

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd4999bcbfefb6ffa8d77842646cc473_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
aa591d93dea2b355f447f87ca177f0ad

SHA1
3f9c06eeb65a6d4868260be6c60f768c8370a1f0

SHA256
ca7fc6612a951b2d6e9ab6b84acab0392bd96d109607520e2e49c2c200f4f5e1

SHA512
e932282d536c6c2f2d6e64f328be1b61a8e33599ba0c799da16dc474810a8f9ac1445b64becb87db405f8b480375114f0106dd10d068750951a8b1783dfd1b29

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
e60558bda4e220f494f7ef757f0bd725

SHA1
9e1215bdad1a51123a4eb012f1f4e3103ac436ed

SHA256
86a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98

SHA512
e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576

Download Submit
memory/332-20-0x0000000002520000-0x0000000002531000-memory.dmp

Filesize
68KB

Download
memory/332-21-0x0000000002520000-0x0000000002531000-memory.dmp

Filesize
68KB

Download
memory/332-29-0x0000000002520000-0x0000000002531000-memory.dmp

Filesize
68KB

Download
memory/332-19-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/852-44-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/852-31-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/852-35-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/852-42-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/852-40-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/852-45-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/852-39-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/1124-10-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/1124-5-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/1124-13-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/1124-4-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download
memory/2684-28-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2684-25-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2684-24-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2684-0-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2684-3-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2684-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2684-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download