86cbc67b8b4563c4d1e61067d03da71de7ba5334c350df94a96432faf2000147

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 13:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe
Size

130KB
MD5

0ad306aa529ff62ea954023ec028d278
SHA1

01fd01fe58001c9c0bc1a08a919b5470329a205b
SHA256

86cbc67b8b4563c4d1e61067d03da71de7ba5334c350df94a96432faf2000147
SHA512

f3eb12ede792d4b8562e612b3cc18ac8366767420c8a6b9677953189cd6661beb8d5a1cf0744be59bb2ee578d10754f00dadec844b2ebbb5089ca20f9aeb2bff
SSDEEP

1536:KCwuantR42vAfFi2PqHcCZnZ/IKEGXmZU6UltJo/3FBzhu+vxx3GSlCNC/+R4Bl:3wuattvAtmZnaKEQm6/W/3hu8xwCWc

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1972	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1972	2080	0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1972	2080	0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1972	2080	0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1972	2080	0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ad306aa529ff62ea954023ec028d278_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Vdb..bat" > nul 2> nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vdb..bat

Filesize
238B

MD5
863062116a0dc1255025718d36a927a1

SHA1
392d4410bce4360577005072f918d7b4a9e65698

SHA256
d48fbc6854dbdbd6d4f368147a7fde8cc427d60dd6c85f2bc5721f47bc4fe9f3

SHA512
52d4eaddf49e5a46b8e13ab7839ce6e9264c8c60d4e997418b8791cecd3a5ee8ac9ac60fb526bbdd964870ae630c7ff98e062895d21fb0e7c469e87dd02d948b

Download Submit
memory/2080-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2080-1-0x0000000000490000-0x000000000049B000-memory.dmp

Filesize
44KB

Download
memory/2080-3-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2080-4-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2080-6-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2080-7-0x0000000074E90000-0x0000000074E9F000-memory.dmp

Filesize
60KB

Download