9d2f29a7e18331c1ea68912e5efd237a95fd3b027fac44c1016f9dfde37f5244

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
Size

232KB
MD5

04c8d67eb6f2c8410479fd7ecddcb443
SHA1

29003e88336afd4452814b54479c9e467f0ba948
SHA256

9d2f29a7e18331c1ea68912e5efd237a95fd3b027fac44c1016f9dfde37f5244
SHA512

3fabc811b77cf2407085f8a2bcb85dd9437c89ace769147817c0130fb133178ee66fd70feed878275ebf82ffe60d75e1c5c06bb7e444018c24df1bde2f90fc0f
SSDEEP

6144:WVdHl5i0Mm6aQc6UeI77KVgS/wnjhHFpG4b32:WVdR16TBUJKVgk4jhGm2

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2768	2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2768	2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2768	2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2768	2084	04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04c8d67eb6f2c8410479fd7ecddcb443_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_tin31BB.bat

Filesize
44B

MD5
398eea2997a0ade9199a4da25d7675d0

SHA1
d2bb94f2243bab86c8314274860e14b2240f13ef

SHA256
34e06e6ff25f0651839a953e210cfc62097dd0452f648d970a80d3391f7da9e3

SHA512
0a94bbd520ca1a35b696950c889da9ef2e7c0ea8b0a8f1a9c7c4de5df2df6e0da3f4ea62a0c4ecc7ae15db533dd84a7134e71fa79d64e575ca0dfc7ed837cfbb

Download Submit
\Users\Admin\AppData\Local\Temp\E4C69B9A\_Setup.dll

Filesize
146KB

MD5
a3f3a3b608f9a6d604730cb689dc23c6

SHA1
67dbeb74940250916e0592e596aa492c09694f74

SHA256
4020fabec983278cb2f9b1eaa17cd9466bbdbd0842a35182e34ecd302ae9d342

SHA512
beb0ad1f1b2530366dbc366a642d27965d7e851055086d7c302612eae88d19a501d46c66737c8ee4d0d0c2915d9768cd4d2f1b8e5347bcc3480facdb73484c84

Download Submit
\Users\Admin\AppData\Local\Temp\E4C69B9A\_Setupx.dll

Filesize
16KB

MD5
f17dce858db6f84c1c149f8aebb1ce58

SHA1
e54f8c536dd66610d0678a3532c4f8834b01abe6

SHA256
f32c9be19334ec4a212d173f43e3a97e08434000ff7cef8584afbf72e05ba845

SHA512
c08f9efb7a3514c7829d7c9bd0ef384bbe038e695021a089b354eab6e9c13408fab31a01f502013c27c1a50e2e223ad3c33f4ed7424498b4077091c0044b7ce7

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu-0824.dll

Filesize
245KB

MD5
8c7a58965b71c9dfbf1a14d3369a2620

SHA1
26380249b9bdf1ab864b1c8fa4d01e4c28ba9b5c

SHA256
f94e3692cf74256ef5f9df081592603e5b3aac4490ce39cf88363c5f24fa5aa7

SHA512
97302e9a0f53fb7239c92049d61d65be2958de3d674cdc25fb2ac10424814930e982278d6d6e8df2e270116a5a1b7d1cfea14250aea99191f3efd571357c7023

Download Submit