9e359e9b4ec8624844807156c7896649239f34f1d3220cddf7a569743f764381

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe
Size

268KB
MD5

07ed1b17e8688c2b6516fd01737c78de
SHA1

1975bc45de6ec92d42ec82dc0e0386aa0f67e52a
SHA256

9e359e9b4ec8624844807156c7896649239f34f1d3220cddf7a569743f764381
SHA512

23f22bdb98a169d1595afc2085551b536342cbdcae7b98b8a18b86b8b77b06fe49e2c3e08633f1d6637351cbdcef48ab86f96f63f52bc2e878b96d8e21bf6563
SSDEEP

6144:oXVM0VHWskghnZNX56mzcInrdVryWxitMMw2DYmIEr:kMDsZ556mHzPx/eDYm9

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe
2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe
2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe
2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2564	2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2564	2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2564	2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2564	2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2564	2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2564	2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2564	2084	07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07ed1b17e8688c2b6516fd01737c78de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c \DelUS.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
90a7d32315f79cab2a592784d12218e8

SHA1
fca2c89771c29b077744728476bc9492174aea5f

SHA256
6553b5feac69b0e0275a5da9f18cdb5eee0310688b4e18e3786e70e32410140d

SHA512
22a1de49bfdc1b23c192d368b43a97285e315ea4ec3b2eeab9dede6e9b24146217e48bbfd84ca04756660d7b3a7c8728f88cb1d780353460f8e0f2fc2a9fc814

Download Submit
\Users\Admin\AppData\Local\Temp\nst2FF.tmp\DBCount.dll

Filesize
92KB

MD5
523c8f7a466a7ab488615c26f972aa43

SHA1
de7cee6f1f7a5dcc413fddbb939c844a04c0631c

SHA256
343ce0e3713a74f4ee80315e8f03641f44a3328b1bb61ed12157d69dad5a4f34

SHA512
bea9486209e0d4ecc851ab8b1cbd68a1bd0a6067b6302c6c7aa9e3fa546940f6f78f4c96e0c324946eddcd67e6f20ccd99375dc4b6ed64df38da6676bf60a351

Download Submit
\Users\Admin\AppData\Local\Temp\nst2FF.tmp\Math.dll

Filesize
66KB

MD5
468914ab4ea3afc6fda29031c758394e

SHA1
d3b632778a03567efa761401151bfe80d0fe956c

SHA256
8a8d78657f0f6b44f18b16e7eea3e62eef6720e04cd2efc820d62bbe987afac1

SHA512
0b3df17a3a17a82ba7092ff384c7d820d9f1103fcfa732fb399cf0ff065ec6913a73bea433e19ad787bccf272059e39d196322445d9a6327bb25738f343926ce

Download Submit
\Users\Admin\AppData\Local\Temp\nst2FF.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\nst2FF.tmp\System.dll

Filesize
10KB

MD5
32465a07028b927b22c38e642c2cb836

SHA1
309cac412b2ecf6a36f6e989c828afcdd8c7a6e4

SHA256
eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292

SHA512
9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

Download Submit
memory/2084-9-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download