7f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Size

87KB
MD5

feb99b74ebd5d413ee238de3478a9bd6
SHA1

7c8886fb640a3578bcd15040526a11436478ff8f
SHA256

7f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63
SHA512

65f0fa0bd03c3318dc8c9a047ebc24fd8fcc0d36054aa797fcfe42e707e2691350d498075c1a5940c4eaae3dfcb1e1c66997c07944ae143973e9054f148804c1
SSDEEP

1536:gMqbjyuQSgMgDxTi2ZfzAoswexmVEYjUd+YbWsEe2zVc89BvBjgNSc:9qGuQSgfl5b+Ojc+YWsEe2zVc89lB8NV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	Slave.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Slave.exe	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
File opened for modification	C:\Windows\Slave.exe	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Slave.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeSecurityPrivilege	4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeShutdownPrivilege	4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeTcbPrivilege	4016	feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2904	Slave.exe
Token: SeIncBasePriorityPrivilege	2904	Slave.exe
Token: SeSecurityPrivilege	2904	Slave.exe
Token: SeShutdownPrivilege	2904	Slave.exe
Token: SeTcbPrivilege	2904	Slave.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe
2904	Slave.exe

C:\Users\Admin\AppData\Local\Temp\feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\Slave.exe
C:\Windows\Slave.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Slave.exe

Filesize
87KB

MD5
feb99b74ebd5d413ee238de3478a9bd6

SHA1
7c8886fb640a3578bcd15040526a11436478ff8f

SHA256
7f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63

SHA512
65f0fa0bd03c3318dc8c9a047ebc24fd8fcc0d36054aa797fcfe42e707e2691350d498075c1a5940c4eaae3dfcb1e1c66997c07944ae143973e9054f148804c1

Download Submit
C:\ra_slave.log

Filesize
563B

MD5
4189c426759265139dbb8e6f8e2b20f4

SHA1
c5c7245e63affd191047c732a4dd12f8facbcea4

SHA256
9f8531abccbf26599bc9ce2e1af640058c36894a976611c8535a1bceeb80b819

SHA512
07f08a4b0dffc1632e9f29fd44ce911036c53f3e6c4b123ccde2f6976e99a22357f2352a69a65f5f353f741fa0a2ecbaafb2d5a5e587a3ae2cec37b4d8c01153

Download Submit
memory/2904-17-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-25-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-28-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-32-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-35-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4016-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4016-24-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download