12dcccf0cd91c12cc77f0b085e13dd81cfc4fb052bec991c1fe739b1eb435bc2

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 03:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
Size

51KB
MD5

04289dbd55b1537bb67d69690577d902
SHA1

e28f01b361c413ef3d23a488e96b928c417933b2
SHA256

12dcccf0cd91c12cc77f0b085e13dd81cfc4fb052bec991c1fe739b1eb435bc2
SHA512

58c9f4aec4ee8114f7b3db69e1f8f8b6616b0d1149eea0d585e279cd107b39c6cb4a2e749edbb97eab0c338fbc334fd0d3302d6b2ac8782336f0ec2ba0be636f
SSDEEP

1536:6OSVGf4MtI8W1forhH7LzLzC+gzZpJiTLL:uGwd8W1forhbL3U1pJo

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1496	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2632	mmxprotopro.exe
1712	eltpart1.exe
2628	drsmartload125a.exe
1660	mc-110-12-0000352.exe

Loads dropped DLL 26 IoCs

pid	Process
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
1660	mc-110-12-0000352.exe
1660	mc-110-12-0000352.exe
1660	mc-110-12-0000352.exe
1660	mc-110-12-0000352.exe
1660	mc-110-12-0000352.exe
1660	mc-110-12-0000352.exe
1660	mc-110-12-0000352.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Download\	mc-110-12-0000352.exe
File created	C:\Program Files (x86)\Common Files\Download\mc-110-12-0000352.exe	mc-110-12-0000352.exe
File opened for modification	C:\Program Files (x86)\Common Files\Download\mc-110-12-0000352.exe	mc-110-12-0000352.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmxprotopro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eltpart1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drsmartload125a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mc-110-12-0000352.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1660	mc-110-12-0000352.exe
Token: SeBackupPrivilege	1660	mc-110-12-0000352.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2632	mmxprotopro.exe
1712	eltpart1.exe
2628	drsmartload125a.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2632	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2632	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2632	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2632	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	30
PID 2700 wrote to memory of 1712	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	31
PID 2700 wrote to memory of 1712	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	31
PID 2700 wrote to memory of 1712	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	31
PID 2700 wrote to memory of 1712	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2628	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2628	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2628	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2628	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	32
PID 2700 wrote to memory of 1660	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	33
PID 2700 wrote to memory of 1660	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	33
PID 2700 wrote to memory of 1660	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	33
PID 2700 wrote to memory of 1660	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	33
PID 2700 wrote to memory of 1660	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	33
PID 2700 wrote to memory of 1660	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	33
PID 2700 wrote to memory of 1660	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	33
PID 2700 wrote to memory of 1496	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	34
PID 2700 wrote to memory of 1496	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	34
PID 2700 wrote to memory of 1496	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	34
PID 2700 wrote to memory of 1496	2700	04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\mmxprotopro.exe
  "C:\Users\Admin\AppData\Local\Temp\mmxprotopro.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\eltpart1.exe
  "C:\Users\Admin\AppData\Local\Temp\eltpart1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\drsmartload125a.exe
  "C:\Users\Admin\AppData\Local\Temp\drsmartload125a.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\mc-110-12-0000352.exe
  "C:\Users\Admin\AppData\Local\Temp\mc-110-12-0000352.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ope4204.bat" "" "C:\Users\Admin\AppData\Local\Temp" "04289dbd55b1537bb67d69690577d902_JaffaCakes118.exe""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Download\mc-110-12-0000352.exe

Filesize
41KB

MD5
29ba9011dea3f97e5145eb3bf460d8b6

SHA1
68650ac9db85a79e62db9b1e19d6c0bd1ba6b23f

SHA256
e6c75a640e5ef2165f1bca62be3b84571ea28fc9b0eec8444fa9219043f64208

SHA512
756157099d3c3606e3b16bb38b3daa86d2a2bded5f85a4c4da450ffc23dca8f13efaa0750686b82138b000372bd1fb8cd3e10f7af1deb2ec67e223d544183dad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a7e4ccb863da580b93604c93ef5086

SHA1
24e74359590a6309b9a94b3c38fa479cba2996dd

SHA256
8f9ccc8d05cd852ae29b93a17aeb58d4f63876bd59180e4fefd442b40bda2c84

SHA512
33fa966415509b60d63ef963c2153cedabeedb86bbca1db8315a5a088f97332d31434e7cef3edc28806d7159fac52f906341e68047956fbb3e805fe168c6b244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5b7f9cb12a53040b940edda4c53510d

SHA1
0b5c969d5b6adf4d026d5d0527bdbad3edc278ab

SHA256
fe8acf56bd428e484db501e12cb208377ad05c021b7d94cb8c42d4ba67af6eb4

SHA512
e86aad496e1ef84a02ace51de0d3ae2fc9f05ffed72c0196300ce1cc92acc45adb91a8849d0bcd2c33862db3b09fa51444b6a51c4daa42b47d5128900a457f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4674.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar46E5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mc-110-12-0000352.exe

Filesize
38KB

MD5
9c9b7a0e340c4ea7ec416b2976965ccc

SHA1
ec0264f5c7c824f42a98d43f26085445e9dfa091

SHA256
851ee8010de537742d02feb3516615af272615eb380328a9a5ec9668c874191f

SHA512
4928021da9097e89122de5511839f1afeb5e55c5e897091b17ee311f9e11e9b8a296f12516fa8d5735232138e3b29921f6208fd283d8a1859ef615bc82c64a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\ope4204.bat

Filesize
44B

MD5
bd72f632464c3ff2f5a20870b59aa27b

SHA1
4bbb3d50ec61ce9adebf98a3c8f7a0bbe960a684

SHA256
9ddaf09d8002847f4ab98a3e2f50730aa4a6950815aeef1ec55bae5482afb0f4

SHA512
12295684b9c54f7a3a55c60be888941124072c864f1b52f438bfc04a929ba1e6add8a088f06d3812591a2441ec3409584a72d96f2dd8ebd47c7a7fce51443676

Download Submit
C:\drsmartload1.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
\Users\Admin\AppData\Local\Temp\drsmartload125a.exe

Filesize
16KB

MD5
06f20d6ec9e59b51ac009c2a23333a77

SHA1
328fbb3c239e55fec6c7371ac329a1c46a96fd85

SHA256
4f981643025e0cf7703e1142aca768bd879f1754839e1207a76d1eee24877037

SHA512
2bf65b141ab80d4d1e4b81c4585b2d958b5cc32a7fa9e8842bb65d6bd0a57de9ead6093d5b4cf54f81f635916fc47878e76381abfc2c7b02b36ad0aca1829660

Download Submit
\Users\Admin\AppData\Local\Temp\eltpart1.exe

Filesize
65KB

MD5
ad2703fdd0d2f1c21b32e1ffce22bde5

SHA1
fc9499bbb31bb0b387677763fb85f41e73f13a21

SHA256
771a9b16ff1af5df7bc25de1da25c4201e522a3b2abf8883c617884af2f3176b

SHA512
50bfb10b1ebb0f0b35723f92ba10614c094777da9ca8566b65663c73e5ca72ae9707e57f5c7e7d718554079614e5210b5fb4b7a4fcc8349ab59c190d5c6c0d1c

Download Submit
\Users\Admin\AppData\Local\Temp\mmxprotopro.exe

Filesize
65KB

MD5
6fda70effe53d09b7426c669f48a6703

SHA1
cc5c52dcaa2d6954abea796ad2e427e895315754

SHA256
d90a14bf769ba77ed2acc65922a0637eddabec6cf88aaac4ecfaca39bd80ff32

SHA512
083df659bbc2bbd6da80bd5b2a742696410656c5af6baa15d7985038d9ec6916c8fa24ae352283498accd026cf6b09d9e09071d20bd7eff57d4ebe504a172cdc

Download Submit
\Users\Admin\AppData\Local\Temp\nse42EB.tmp\SetUserAgent.dll

Filesize
2KB

MD5
236393814d1479d82e6cde6262b67814

SHA1
09fc50ac2006e25cf664a8335f288e3ad5b2ece7

SHA256
751baa24853c3c7367097d6f86c8fc873bdcb255b854c47d7507d901933d2110

SHA512
2077d44d1443bf7d7580dc49b70dbc2d0629b29ab6291a9220aa0ef24bf25b5bfc3424ebd321029a2e9a94d088ff072eb647e049d85d38c7d9390451aa73a367

Download Submit
\Users\Admin\AppData\Local\Temp\nse42EB.tmp\System.dll

Filesize
10KB

MD5
02184a0759753164c0df464de83ce3df

SHA1
cdecd95d93d215897d5b5b1d3ed823f6fc591eee

SHA256
18024b3cefe128951a52ff51acd8e39daf1adc5877ccd7bc63dd205f297a76d2

SHA512
306bbd1705c0a42d61406e72c6fabe8b133a479ce1502d4436cc1b823cff82afad13b75138c31f8841af056c4e8c923c8ddfe40817049fc40351b45fc6f7a79e

Download Submit