7f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Size

87KB
MD5

feb99b74ebd5d413ee238de3478a9bd6
SHA1

7c8886fb640a3578bcd15040526a11436478ff8f
SHA256

7f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63
SHA512

65f0fa0bd03c3318dc8c9a047ebc24fd8fcc0d36054aa797fcfe42e707e2691350d498075c1a5940c4eaae3dfcb1e1c66997c07944ae143973e9054f148804c1
SSDEEP

1536:gMqbjyuQSgMgDxTi2ZfzAoswexmVEYjUd+YbWsEe2zVc89BvBjgNSc:9qGuQSgfl5b+Ojc+YWsEe2zVc89lB8NV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2244	Slave.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Slave.exe	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
File opened for modification	C:\Windows\Slave.exe	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Slave.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1748	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1748	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeSecurityPrivilege	1748	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeShutdownPrivilege	1748	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeTcbPrivilege	1748	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2244	Slave.exe
Token: SeIncBasePriorityPrivilege	2244	Slave.exe
Token: SeSecurityPrivilege	2244	Slave.exe
Token: SeShutdownPrivilege	2244	Slave.exe
Token: SeTcbPrivilege	2244	Slave.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe
2244	Slave.exe

C:\Users\Admin\AppData\Local\Temp\feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\Slave.exe
C:\Windows\Slave.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Slave.exe

Filesize
87KB

MD5
feb99b74ebd5d413ee238de3478a9bd6

SHA1
7c8886fb640a3578bcd15040526a11436478ff8f

SHA256
7f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63

SHA512
65f0fa0bd03c3318dc8c9a047ebc24fd8fcc0d36054aa797fcfe42e707e2691350d498075c1a5940c4eaae3dfcb1e1c66997c07944ae143973e9054f148804c1

Download Submit
C:\ra_slave.log

Filesize
385B

MD5
e4026159d14dad17a91b58a25fb71ff5

SHA1
011494819c6c6b6a421faeea75d29d04434d7a60

SHA256
401b1927ca02f62d63f271e4ae786e68eee4555ba2781c289b6ac4544c0f55c9

SHA512
f250d8c1746b65919330bf0a7ed8797a89486f12e14283a7b5c029b36a6c41a462ef6c9aeb97fd62344aa3c0f38be63ba29ecf78b778d235f57fd02ea24c21cd

Download Submit
memory/1748-22-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1748-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2244-7-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2244-25-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2244-28-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2244-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2244-34-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2244-37-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download