07f79612340c73aea3a5ee31715185f27cdc6f8230c6e5fae0e9d49853458ef3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe
Size

596KB
MD5

fba1b8e53e53a68c3ee166c4bdb61087
SHA1

6b69c6e4d7007a67da0a352ac643d8d9ae03fc5a
SHA256

07f79612340c73aea3a5ee31715185f27cdc6f8230c6e5fae0e9d49853458ef3
SHA512

be42239b9287e26062b61b477389f5ecb8a297fe6673f2627358b583165c01dcdad3c7dfa416ede2948494c7278ee9e8c53491b5aa0e90a2ed7f79e79a7ccd8a
SSDEEP

12288:SuYf4G98DKoOItok+WVkmiF3Z4mxx4Q1qkh17+jVEG:SL6OhIitWVriQmX4UncVEG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4588	Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Service.exe	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe
File opened for modification	C:\Windows\Service.exe	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Service.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe
Token: SeDebugPrivilege	4588	Service.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4588	Service.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 1512	5012	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe	83
PID 5012 wrote to memory of 1512	5012	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe	83
PID 5012 wrote to memory of 1512	5012	fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fba1b8e53e53a68c3ee166c4bdb61087_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512

C:\Windows\Service.exe
C:\Windows\Service.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Service.exe

Filesize
596KB

MD5
fba1b8e53e53a68c3ee166c4bdb61087

SHA1
6b69c6e4d7007a67da0a352ac643d8d9ae03fc5a

SHA256
07f79612340c73aea3a5ee31715185f27cdc6f8230c6e5fae0e9d49853458ef3

SHA512
be42239b9287e26062b61b477389f5ecb8a297fe6673f2627358b583165c01dcdad3c7dfa416ede2948494c7278ee9e8c53491b5aa0e90a2ed7f79e79a7ccd8a

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
c1c065a4326e926438a956e10164699f

SHA1
c08365d20526a35e114aeb801e0fe4758aae5f19

SHA256
69c94ae1195de7e502a5b16432915ab7e8d3653717e39090bb3c293dd2b771a1

SHA512
51bcc82f6f0daeca9f54b1d9d16a66afd7755284d377f6e7cc198b4d172ffb2a5aa8100042f1c7aaddaec15cb8297327a678921e1d35b82fce243b83b7087e71

Download Submit
memory/4588-66-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/4588-72-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/4588-76-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/5012-41-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-37-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-47-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-60-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-59-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-58-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-57-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-56-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-55-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-54-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-53-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-52-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-51-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-50-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-49-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-29-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-36-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-35-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-34-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-33-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-32-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-31-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-30-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-48-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-46-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-45-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-44-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-43-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/5012-42-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-0-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/5012-1-0x0000000002350000-0x00000000023A4000-memory.dmp

Filesize
336KB

Download
memory/5012-40-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-22-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-39-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-28-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-27-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-26-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-25-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-24-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-23-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-38-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-21-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-20-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-19-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-18-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-17-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-16-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5012-15-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/5012-14-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/5012-13-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/5012-12-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/5012-11-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/5012-10-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/5012-9-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/5012-8-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/5012-7-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/5012-6-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/5012-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/5012-4-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/5012-3-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/5012-2-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/5012-61-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/5012-69-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/5012-70-0x0000000002350000-0x00000000023A4000-memory.dmp

Filesize
336KB

Download