0b75f331290973cdd4191225d46e064a84c42f58a71030669a2a65f364ff2317

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe
Size

287KB
MD5

fb66fcee79fd0c4cc2dbe887b98bcda2
SHA1

740ebc60176513a1e1a614d5ba7824d7fc7ae0cb
SHA256

0b75f331290973cdd4191225d46e064a84c42f58a71030669a2a65f364ff2317
SHA512

29079a8097f698035323f989df918e2b68fa2cfcad76131c1945b4126d3cb92032c3707efc7849c3c86a6e7f6275320603c6f75a869d4036da4294b702b31ec8
SSDEEP

6144:zxddq5R7YJZNLqKvDd5M5X6BfnkZ5vkNS9jMl:zZq5R7KNuCY5KBf8xkNl

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2288	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kmon.abc	fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kmon.dll.abc	fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2288	2236	fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2288	2236	fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2288	2236	fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2288	2236	fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe	28
PID 2288 wrote to memory of 1672	2288	cmd.exe	30
PID 2288 wrote to memory of 1672	2288	cmd.exe	30
PID 2288 wrote to memory of 1672	2288	cmd.exe	30
PID 2288 wrote to memory of 1672	2288	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb66fcee79fd0c4cc2dbe887b98bcda2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DeleteMyself.cmd" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo C:\Users\Admin\AppData\Local\Temp\tmp$$$.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DeleteMyself.cmd

Filesize
291B

MD5
668c3239949f7a97bb5a73c5c03c6bea

SHA1
fe77b4f6b1353e0ab343172f7cc4e634d091284c

SHA256
9c36f01c130f9a375c2eec106cf889fbdc4698880cfa1fcae90e79cdd990b790

SHA512
1d8e7f05fdb516cc4dfd196afc5a8d2f00fd81958810dfbcc75a5d7805fb4eea15106bf98ac9336af4af8d9492d0a9f823f19c756c928a17a18df64d62fc394e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp$$$.vbs

Filesize
23B

MD5
1f213db973e60e54a1200d443819b5b6

SHA1
ac6eed8fdefe0d1a997a11e7968c81988b5e53f5

SHA256
d414dff074733c8f4e463e0d9bcf219058d56e1e64b4a3984e1f36ab01966d59

SHA512
ab045bf7bd654e135b8697dadbb48c8146d7fab9f168d6d550b7f5dea76b4724ae2a6876b343efdc42aba9b010a331b3c3791985de3cb836f28bea36bb54f7bf

Download Submit