6441154a13cbdd4e555c45bfc01562bb659d59c116d31bdebbcad9c14f97b341

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Size

380KB
MD5

0bb2c9fa052921012d29d95ec794a6dd
SHA1

f72b8b078a281c438477ff007cbc134164cfc21e
SHA256

6441154a13cbdd4e555c45bfc01562bb659d59c116d31bdebbcad9c14f97b341
SHA512

8d7ded6fb81b7eea87c489c2686d95f2b83989f7b2848aad75de774af3f5ab2a1887343551a87ef1eae956e0d8ee029e7e67ce3a382315ca6b54c8b6e1eb3f07
SSDEEP

6144:kXsB7rtp/nWdoxpRThhSRiY4xBPKQwbFAE805RXUELjJoxGq6IEm02bvGDU:kXsNtp/EoxpRFoqBProSE8qFYGq6I0YB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
712	test.exe
1660	test.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
712	test.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 712 set thread context of 1660	712	test.exe	31
PID 712 set thread context of 0	712	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: 33	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: 33	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: 33	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Token: 33	712	test.exe
Token: SeIncBasePriorityPrivilege	712	test.exe
Token: 33	712	test.exe
Token: SeIncBasePriorityPrivilege	712	test.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
712	test.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 712	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe	30
PID 1812 wrote to memory of 712	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe	30
PID 1812 wrote to memory of 712	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe	30
PID 1812 wrote to memory of 712	1812	0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe	30
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 1660	712	test.exe	31
PID 712 wrote to memory of 0	712	test.exe
PID 712 wrote to memory of 0	712	test.exe
PID 712 wrote to memory of 0	712	test.exe
PID 712 wrote to memory of 0	712	test.exe

C:\Users\Admin\AppData\Local\Temp\0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\2011.07.06T11.46\Virtual\STUBEXE\@APPDATALOCAL@\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\2011.07.06T11.46\Virtual\STUBEXE\@APPDATALOCAL@\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\2011.07.06T11.46\Virtual\STUBEXE\@APPDATALOCAL@\Temp\test.exe

Filesize
17KB

MD5
90a691546ff7e6dadffaf547563bf21c

SHA1
514f11de40096db6715f8efa63daa288f1f1f4fb

SHA256
4d86b32cb8666936217e0abf220788c7a2cfc80b795a1edd3b5311d446080dbf

SHA512
319257461794c5705c6f4423bf8f452f7b98bd0834a208e54929209b0af375ac62dbda33f34d2427ebe14fdc5eaaf8733032814a47c010c10d829421862b6bba

Download Submit
memory/1660-634-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1812-0-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-1-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-14-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-32-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-44-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-7-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-55-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-49-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-48-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/1812-46-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-42-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-39-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-37-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-35-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-30-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-28-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-73-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-26-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/1812-24-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-22-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-20-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-17-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-11-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-6-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-2-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-146-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-160-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-175-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-241-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-65-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-253-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-236-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-225-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-224-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-205-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-204-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-197-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/1812-194-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-183-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-163-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/1812-133-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-119-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/1812-75-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-71-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-69-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-67-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-63-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-61-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-59-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-57-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-53-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-51-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1812-636-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download