3b03897f78c98c476ff2622638cecb4c3e0d1df752b0b0a9a4c2f94a6784fdb5

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 00:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb2fe52a321b1ba2d423b3e34d7dd36a_JaffaCakes118.jad
Size

64KB
MD5

fb2fe52a321b1ba2d423b3e34d7dd36a
SHA1

bbb75e428a9b5de0fa191a316ee6792a1fc1bbd3
SHA256

3b03897f78c98c476ff2622638cecb4c3e0d1df752b0b0a9a4c2f94a6784fdb5
SHA512

409091564e54ed98f9f6175f16dd56d69d032493e998b17698a77419f9d768efe3c18518d87a2c1ebe8e8ea9f6afea69e6c9355a00a1cb0a31546fce4267650d
SSDEEP

768:AVxA92YZUeY5A76pWG9zvyti4dPQq1dUqr71pEtye3RdDBeSjuoeCd/dZVVXJsAR:exY2pxBWG1vAxhEopZe3rUAVV5sej5r

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\jad_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\jad_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\jad_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.jad	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.jad\ = "jad_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\jad_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\jad_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	AcroRd32.exe
2568	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2868	2684	cmd.exe	31
PID 2684 wrote to memory of 2868	2684	cmd.exe	31
PID 2684 wrote to memory of 2868	2684	cmd.exe	31
PID 2868 wrote to memory of 2568	2868	rundll32.exe	32
PID 2868 wrote to memory of 2568	2868	rundll32.exe	32
PID 2868 wrote to memory of 2568	2868	rundll32.exe	32
PID 2868 wrote to memory of 2568	2868	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fb2fe52a321b1ba2d423b3e34d7dd36a_JaffaCakes118.jad
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\fb2fe52a321b1ba2d423b3e34d7dd36a_JaffaCakes118.jad
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fb2fe52a321b1ba2d423b3e34d7dd36a_JaffaCakes118.jad"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
472a21108191f65394066735f08138cb

SHA1
c2fc5752e0257b7f6a7d80cbfa60cdecd3b5887c

SHA256
ec5d3854697ca8fe731124dbdcf7e29d55f52e84ea29952fdec199391814cf67

SHA512
7cfc2eb684ef0526dae6bf82c64fb67d2d8c88d65ddf0a25514c71b51e3e3ba2231247b0f79ac4e00ae9b3f4ced532871dbef8db25a9a3c22bb73d1af589b9f6

Download Submit