39284c0816bed1b198b71d0bd02c2f0d62c56b4bb5e7f990a4f64e28460ec127

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe
Size

24KB
MD5

036526da192b95a09d5895ac23d9d31f
SHA1

cc2081e10a6f07d2036919e9b3b77fe77308feee
SHA256

39284c0816bed1b198b71d0bd02c2f0d62c56b4bb5e7f990a4f64e28460ec127
SHA512

93a6a3844f8187a209485d2b36ec19a4eeacbf3b35480121515ce02a84b7a0fed2605e4d5a47196fba1042ab1852252935dfb5116f553b4dd7964ea4dd809c6c
SSDEEP

384:E3eVES+/xwGkRKJ6lM61qmTTMVF9/q5R0:bGS+ZfbJ6O8qYoAO

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3016	tasklist.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2144	ipconfig.exe
1128	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	tasklist.exe
Token: SeDebugPrivilege	1128	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2956	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe
2956	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2268	2956	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2268	2956	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2268	2956	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2268	2956	036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe	30
PID 2268 wrote to memory of 1504	2268	cmd.exe	32
PID 2268 wrote to memory of 1504	2268	cmd.exe	32
PID 2268 wrote to memory of 1504	2268	cmd.exe	32
PID 2268 wrote to memory of 1504	2268	cmd.exe	32
PID 2268 wrote to memory of 2144	2268	cmd.exe	33
PID 2268 wrote to memory of 2144	2268	cmd.exe	33
PID 2268 wrote to memory of 2144	2268	cmd.exe	33
PID 2268 wrote to memory of 2144	2268	cmd.exe	33
PID 2268 wrote to memory of 3016	2268	cmd.exe	34
PID 2268 wrote to memory of 3016	2268	cmd.exe	34
PID 2268 wrote to memory of 3016	2268	cmd.exe	34
PID 2268 wrote to memory of 3016	2268	cmd.exe	34
PID 2268 wrote to memory of 3028	2268	cmd.exe	36
PID 2268 wrote to memory of 3028	2268	cmd.exe	36
PID 2268 wrote to memory of 3028	2268	cmd.exe	36
PID 2268 wrote to memory of 3028	2268	cmd.exe	36
PID 3028 wrote to memory of 3068	3028	net.exe	37
PID 3028 wrote to memory of 3068	3028	net.exe	37
PID 3028 wrote to memory of 3068	3028	net.exe	37
PID 3028 wrote to memory of 3068	3028	net.exe	37
PID 2268 wrote to memory of 1128	2268	cmd.exe	38
PID 2268 wrote to memory of 1128	2268	cmd.exe	38
PID 2268 wrote to memory of 1128	2268	cmd.exe	38
PID 2268 wrote to memory of 1128	2268	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\036526da192b95a09d5895ac23d9d31f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2144
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
5ec3c538ebeb32b9d8204388349b6d65

SHA1
c5154cc1a182cdf5d31339be2cc0ebae535de7ed

SHA256
206485c2b0a717db7f1fab7c56c7cfcc90047a3c6f98b14069aa97b179681867

SHA512
88cc8c32e9a2bef1942cd29abd31f86db512edde6d960d812238fc64a0a984800fbe035e6d46b7f8dfe362322b864ae60c42d4402c13b50792005d2d42eb83d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads