9e18a8cc844e98cbb543af8769c61f3e74d041bd1256ba3aeead0f5518de3a8a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe
Size

3.2MB
MD5

0893f26fafe63e361bd23f6bb57fed2d
SHA1

7a06dfafc866d2f15c8c14148b40fb3090fdad7e
SHA256

9e18a8cc844e98cbb543af8769c61f3e74d041bd1256ba3aeead0f5518de3a8a
SHA512

2b0e2e509a50dae438689df0c980bf6a6f2526952a866b86add1d05600c7c88fc1e1569c269ce3cc9edc73c4dd0e43bf9169aaef5e9775689e1fa6f6f3eab870
SSDEEP

49152:Th+ITVyW1xbi2K8ZWzskMcjhdRh6v5QEnVgNJwP16ascNup5XN9:TEIdLbDW0mA6Enow96Fln

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	autorun.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe
1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe
2760	autorun.exe
2760	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2760	1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2760	1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2760	1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2760	1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2760	1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2760	1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2760	1908	0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\0893f26fafe63e361bd23f6bb57fed2d_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Butonacikmavi.Btn

Filesize
11KB

MD5
25c8f8a66f92ec598d94b34502976c3f

SHA1
af145d7c3bafa5879cdd92a071a48ad0be008f85

SHA256
cf5fa97783528f788d273cca574eca99f7c78d7dcb9b123b448f966cdfd91115

SHA512
ec1f7603652b3e38c8db238d7fa63f3650f3579d5335af0add36208ead5a7fab5ab995e504e49a828710c30e62d135b7059cf5a9052cd5786d3e0c132be844fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Kapat_1.Btn

Filesize
4KB

MD5
161bf625d934a2ad4db7b37f55cc9ee6

SHA1
22777c28d675097860eea56f3420e988efefb4c5

SHA256
252d363bd02ef8cfaa1aa661f16e59c6d17a8a9f6aa8f626202ab10efaff124a

SHA512
4e270238a8e044855b93b01a95213f01c23462f30a51ab55b2108513775b5373ace657762f7734b77681312d2157865eba5fdc66c48a3177c49053c56b24e531

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Kucult_2.Btn

Filesize
3KB

MD5
6967f523fecb50c3c2029fadbfa497d6

SHA1
7f669e458610b5ce2731b55e21e6aa33019aef7e

SHA256
24afb029511730753a907f9968638909b85c429abb1aedf47eaaf3b8bfe7068b

SHA512
72f9257de38a920e20014ffd97b5741083718635031f90251d6229b047968546ba76ea726f2de4227c78c12d0cd213ad790dd644f05978cb9bc47df571f5e0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Blogger.png

Filesize
2KB

MD5
1de7af957e40a86942dbe41f18cb43d8

SHA1
6d7f9ba0dce35e1838baf4a429002572690656e7

SHA256
49e6eebc88fd0ee34a817687919679059fd751db1991efbda1364df525415678

SHA512
74f1b1748a968a106dd5d65508ccfbb4665784f1f8b0e481fbf9f75c57ea4551faf976160e54bcc45b8b1383f399fc29b95e861917d95bcea029a21a9937574e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Thumb_imLogo.jpg

Filesize
4KB

MD5
a641159ee864af405582f65296f9b5a3

SHA1
1026c43a4ca47efdb8652ca78573973372943075

SHA256
7658a795cbc4cff7bbf02f9a9fdc2e641ce7e87990df1ab98564fa59b5d0a4f2

SHA512
8c679af9283444c1aaff18c961afbdb5a0adba3f4e5bc7cc2db13d187df911d33a8e727ce263366a76189fb0fef5bc5a628d04de9240781a8ae7ad9b737bd59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Upload.png

Filesize
6KB

MD5
3d5d534526850b82d041d089b68cabba

SHA1
7017d53953868995745ab8978bc36052adedd071

SHA256
945b67f9b91fd2519183d5199a02ea73cdd2016133e0b848908a6946b5066183

SHA512
dac239bac2973bc5e20b957f78c6431c21374c96974806b10d1fab185fb89190b1459b7f164e09669140dad1a50776f4aec3d9c844d071f5ce84b467d055e01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\Yahoo_Messenger.png

Filesize
4KB

MD5
1c4f3e9a18d7ec2f83126d083258dc3c

SHA1
2da16a550b590fac2da3766e76e27d2def5cc1af

SHA256
e46bec334a1e9f55e5593b761f97455d80e7a47bc808928e4e2489503b14afaf

SHA512
bc2c479097cf74e430557d7ca463921b30e6597fd4e6336ed4bc0a60455f63ffaf867f8b93559ab338fc65401af773572239d706ef1f073a489f6505e44403af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\feed-icon-28x28.png

Filesize
1KB

MD5
e077f1f611f09d672b0db3a79b96d530

SHA1
0489f1cd917915cc8a8ecfef0e3a7988f299bb5f

SHA256
473feba11f89b4d197a2263ebb6567e53b75a969cff0679ccf50f6634fa3a4f5

SHA512
0b037b43138ab77a6185b9f032a579a3da84383beeafa26c88ac1f096c537a02be67f3e08b08649fa4a967700077722e736aaa2d86dee3cc4807dbc092b837b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\seagreen_leftside_over_alpha.png

Filesize
1KB

MD5
09f7feb9fefb1058e04d910a293f0f59

SHA1
62a2b6ab693ab70049da479cbacea16b5b2dc2ed

SHA256
cdce271fa75c4d990deda53f833e06b70bfcd9dfacc011829d8e3fc778e95aaa

SHA512
ca7d711c3ba7c5de0d37eb670ec4ae880c125d4114458b53088306bcafaf71bd3778b75c9ad2d590c46d13f83cf561aaacb8f2fa4b72478793d29fc2a76abf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\unlock.jpg

Filesize
28KB

MD5
fa03931f6fc5cbdfc95bd5cf08e463de

SHA1
dca38c544d4f75ab14de828d8ebacae6ed098d60

SHA256
661cb93910be7f34d6f9b4e4f0f9acc6850fc94ee3d46673bbbf162acb214ce5

SHA512
e1683b4a03aa8cbf118fba1361049df2bf23b8716897de79c37a72a62eb0713008e938f81f9358b0533ba95b275c472d33d1dff488dbfc27246367f0f2e51cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
572KB

MD5
d8fb0c6b3b6d386111bfed4f67042824

SHA1
1014556aa24307f1fd2909e93cc50c4e2d0a68cd

SHA256
605aa85640d3e913731226e08ab94d8eb0d6e4af9405f434d352a0a73a153cf2

SHA512
f2fbbbc07758cbe612d5495401a63b0204a66568c3a70f770533ae2c55d4d82048633adc2036826809b4f7e69dddbfbb12cddcdfe66ae7ea4d25b597cc409b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.7MB

MD5
b6cbae73e4805223ae760e4aeb34a71d

SHA1
08fbcb3662d87c00067b5858eea8ee6a1bb5dfa2

SHA256
5ba410379bb4657027f3114395043bbfd07e204c91268bcdd976c008ac1bf287

SHA512
5467a8714f541dee0ae108ee0a27ee6c0c2893c08acc3a2f48f630706e4dc7b6f1d16bb748f449da45e4d845c2843107555fdadf32b4b7d73f4b798392cf1648

Download Submit