0dcc65609b173528f40081602d8a74462900401d529030903073c54fe554463f

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe
Size

1.2MB
MD5

fba7b5ebc7040ce28a81b7057c72fcd3
SHA1

186d9c84104b6725a86909a8fc6fb95adb244cc3
SHA256

0dcc65609b173528f40081602d8a74462900401d529030903073c54fe554463f
SHA512

e5e1d51c150483dbae669855f597f04f6ee831eccb2516216cee8fccdaf731b1b16507607e6d08c399baec3f3e1b8054fe232406fd413062d92ad8faf53af6db
SSDEEP

24576:rH6aLepHzvNAd0GnbT1SNsAX7yCcYPH/fqccxlSWFor5xhko6E:rH6ageJv1SOc7yCLabSB5xhp

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2832	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2832	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2832	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2832	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2832	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2832	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2832	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2908	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2908	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2908	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2908	2132	fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe	32
PID 2832 wrote to memory of 2128	2832	cmd.exe	33
PID 2832 wrote to memory of 2128	2832	cmd.exe	33
PID 2832 wrote to memory of 2128	2832	cmd.exe	33
PID 2832 wrote to memory of 2128	2832	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\fba7b5ebc7040ce28a81b7057c72fcd3_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\\usnscv.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
162B

MD5
45dc999ad2b80de88f6912190db56f5c

SHA1
ca7d1ec516bea59a7c640551e37eaeec1007562f

SHA256
58c6c1e50197cf2802f1552fcdfbd9480a6bb8d5e54fa024d165effb9d558605

SHA512
a64ac59a554a5b6bcc2813ff89de158c71849ba815fc16eb63728b7390f9bac4106585f1411130ab42b9ba98fcfa65502a90cc45bc9e30c0cacd0d03f26ac504

Download Submit
memory/2132-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2132-9-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download