525e1dea9bf996679fd1085810521fcca0ba2049798f330e5e56b3a520df868d

Analysis

max time kernel
12s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe
Size

75KB
MD5

0763d07c1519e2e78aff282b6923550b
SHA1

6cb9c6c6a389dad80fd0dea2d7e050271e47c0e6
SHA256

525e1dea9bf996679fd1085810521fcca0ba2049798f330e5e56b3a520df868d
SHA512

825d1c08be20f72ddf8b77aa87e8213b97740a416bab6dbbe554cac1aa62667f702add3bc68070a96c17646264da4b5b216a35a9326068b67bc6ead682c5ab01
SSDEEP

1536:9/aOfvKzTGcyr6tIMJAzpaGJq5a+OeU9DCq1W:9/rKzpyGtIMupaGs0TeU9DbW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2164	2056	0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe	29
PID 2056 wrote to memory of 2164	2056	0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe	29
PID 2056 wrote to memory of 2164	2056	0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe	29
PID 2056 wrote to memory of 2164	2056	0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0763d07c1519e2e78aff282b6923550b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wxj..bat" > nul 2> nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wxj..bat

Filesize
238B

MD5
c299bf837e4b57631b186a8880dfb90b

SHA1
0d642e0f1e40e1c9dbfb3a2250458f988a0b504a

SHA256
167bd52b106c8fc8a5ef7d134ee7f7d855d3fe8c15dfe1db65a0ae6632d0d084

SHA512
2e3350243ebe22a48af74fd5650676d95d62089b36b53d42b3edc2d5962a780c99c1cfe8dbab94e0fdf8d93e8854491f70b6213dc2292fe2096f963ccaf8ef80

Download Submit
memory/2056-0-0x00000000002E0000-0x00000000002F3000-memory.dmp

Filesize
76KB

Download
memory/2056-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2056-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2056-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2056-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download