d7f89b926f57a40a4fad6fd014dbe450c386073a423c263d33c9ae434610e00c

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 17:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
Size

205KB
MD5

0bb877290c6b1812d201387853b7d691
SHA1

055629761721379bdf5b0fbfe1cf61f0c2bdf17b
SHA256

d7f89b926f57a40a4fad6fd014dbe450c386073a423c263d33c9ae434610e00c
SHA512

ea046940d2102e5a0d44c6099b93113f8ea7656f14011a16c10794c1836a6a05b8f22a6f3e5217ca022b8386f97c45959995125ea07d8abea69e661750e74b0c
SSDEEP

3072:PgypCJK39NxHDf6amXok1HDBtwzzXRJ1cttyCVc4WA0YOfylekxaykUwJiy:5pCJOyamv1zsXLpCS4F0c4kAykU0iy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2944	system32.exe
3004	system32.exe
2644	system32.exe
2680	system32.exe
1160	system32.exe
2068	system32.exe
2072	system32.exe
1060	system32.exe
2236	system32.exe
760	system32.exe

Loads dropped DLL 20 IoCs

pid	Process
1820	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
1820	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
2944	system32.exe
2944	system32.exe
3004	system32.exe
3004	system32.exe
2644	system32.exe
2644	system32.exe
2680	system32.exe
2680	system32.exe
1160	system32.exe
1160	system32.exe
2068	system32.exe
2068	system32.exe
2072	system32.exe
2072	system32.exe
1060	system32.exe
1060	system32.exe
2236	system32.exe
2236	system32.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\system32.exe	system32.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1820	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
2944	system32.exe
3004	system32.exe
2644	system32.exe
2680	system32.exe
1160	system32.exe
2068	system32.exe
2072	system32.exe
1060	system32.exe
2236	system32.exe
760	system32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2944	1820	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2944	1820	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2944	1820	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe	30
PID 1820 wrote to memory of 2944	1820	0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe	30
PID 2944 wrote to memory of 3004	2944	system32.exe	32
PID 2944 wrote to memory of 3004	2944	system32.exe	32
PID 2944 wrote to memory of 3004	2944	system32.exe	32
PID 2944 wrote to memory of 3004	2944	system32.exe	32
PID 3004 wrote to memory of 2644	3004	system32.exe	33
PID 3004 wrote to memory of 2644	3004	system32.exe	33
PID 3004 wrote to memory of 2644	3004	system32.exe	33
PID 3004 wrote to memory of 2644	3004	system32.exe	33
PID 2644 wrote to memory of 2680	2644	system32.exe	34
PID 2644 wrote to memory of 2680	2644	system32.exe	34
PID 2644 wrote to memory of 2680	2644	system32.exe	34
PID 2644 wrote to memory of 2680	2644	system32.exe	34
PID 2680 wrote to memory of 1160	2680	system32.exe	35
PID 2680 wrote to memory of 1160	2680	system32.exe	35
PID 2680 wrote to memory of 1160	2680	system32.exe	35
PID 2680 wrote to memory of 1160	2680	system32.exe	35
PID 1160 wrote to memory of 2068	1160	system32.exe	36
PID 1160 wrote to memory of 2068	1160	system32.exe	36
PID 1160 wrote to memory of 2068	1160	system32.exe	36
PID 1160 wrote to memory of 2068	1160	system32.exe	36
PID 2068 wrote to memory of 2072	2068	system32.exe	37
PID 2068 wrote to memory of 2072	2068	system32.exe	37
PID 2068 wrote to memory of 2072	2068	system32.exe	37
PID 2068 wrote to memory of 2072	2068	system32.exe	37
PID 2072 wrote to memory of 1060	2072	system32.exe	38
PID 2072 wrote to memory of 1060	2072	system32.exe	38
PID 2072 wrote to memory of 1060	2072	system32.exe	38
PID 2072 wrote to memory of 1060	2072	system32.exe	38
PID 1060 wrote to memory of 2236	1060	system32.exe	39
PID 1060 wrote to memory of 2236	1060	system32.exe	39
PID 1060 wrote to memory of 2236	1060	system32.exe	39
PID 1060 wrote to memory of 2236	1060	system32.exe	39
PID 2236 wrote to memory of 760	2236	system32.exe	40
PID 2236 wrote to memory of 760	2236	system32.exe	40
PID 2236 wrote to memory of 760	2236	system32.exe	40
PID 2236 wrote to memory of 760	2236	system32.exe	40

C:\Users\Admin\AppData\Local\Temp\0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\system32.exe
  C:\Windows\system32\system32.exe 536 "C:\Users\Admin\AppData\Local\Temp\0bb877290c6b1812d201387853b7d691_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\system32.exe
    C:\Windows\system32\system32.exe 548 "C:\Windows\SysWOW64\system32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\system32.exe
      C:\Windows\system32\system32.exe 544 "C:\Windows\SysWOW64\system32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\system32.exe
        
        C:\Windows\system32\system32.exe 532 "C:\Windows\SysWOW64\system32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\system32.exe
        
        C:\Windows\system32\system32.exe 564 "C:\Windows\SysWOW64\system32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\system32.exe
        
        C:\Windows\system32\system32.exe 540 "C:\Windows\SysWOW64\system32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\system32.exe
        
        C:\Windows\system32\system32.exe 560 "C:\Windows\SysWOW64\system32.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\system32.exe
        
        C:\Windows\system32\system32.exe 552 "C:\Windows\SysWOW64\system32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\system32.exe
        
        C:\Windows\system32\system32.exe 584 "C:\Windows\SysWOW64\system32.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\system32.exe
        
        C:\Windows\system32\system32.exe 556 "C:\Windows\SysWOW64\system32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\system32.exe

Filesize
205KB

MD5
0bb877290c6b1812d201387853b7d691

SHA1
055629761721379bdf5b0fbfe1cf61f0c2bdf17b

SHA256
d7f89b926f57a40a4fad6fd014dbe450c386073a423c263d33c9ae434610e00c

SHA512
ea046940d2102e5a0d44c6099b93113f8ea7656f14011a16c10794c1836a6a05b8f22a6f3e5217ca022b8386f97c45959995125ea07d8abea69e661750e74b0c

Download Submit
memory/760-139-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/760-133-0x0000000000280000-0x00000000002D5000-memory.dmp

Filesize
340KB

Download
memory/760-134-0x0000000000280000-0x00000000002D5000-memory.dmp

Filesize
340KB

Download
memory/760-132-0x0000000000280000-0x00000000002D5000-memory.dmp

Filesize
340KB

Download
memory/1060-111-0x0000000001D20000-0x0000000001D75000-memory.dmp

Filesize
340KB

Download
memory/1060-126-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/1060-117-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/1060-112-0x0000000001D20000-0x0000000001D75000-memory.dmp

Filesize
340KB

Download
memory/1060-124-0x0000000001D20000-0x0000000001D75000-memory.dmp

Filesize
340KB

Download
memory/1060-110-0x0000000001D20000-0x0000000001D75000-memory.dmp

Filesize
340KB

Download
memory/1160-78-0x00000000007D0000-0x0000000000825000-memory.dmp

Filesize
340KB

Download
memory/1160-77-0x00000000007D0000-0x0000000000825000-memory.dmp

Filesize
340KB

Download
memory/1160-76-0x00000000007D0000-0x0000000000825000-memory.dmp

Filesize
340KB

Download
memory/1160-92-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/1160-90-0x00000000007D0000-0x0000000000825000-memory.dmp

Filesize
340KB

Download
memory/1160-83-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/1820-23-0x00000000002F0000-0x0000000000345000-memory.dmp

Filesize
340KB

Download
memory/1820-25-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/1820-0-0x00000000002F0000-0x0000000000345000-memory.dmp

Filesize
340KB

Download
memory/1820-14-0x0000000002B80000-0x0000000002CED000-memory.dmp

Filesize
1.4MB

Download
memory/1820-3-0x00000000002F0000-0x0000000000345000-memory.dmp

Filesize
340KB

Download
memory/1820-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1820-1-0x00000000002F0000-0x0000000000345000-memory.dmp

Filesize
340KB

Download
memory/1820-2-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2068-89-0x0000000000770000-0x00000000007C5000-memory.dmp

Filesize
340KB

Download
memory/2068-88-0x0000000000770000-0x00000000007C5000-memory.dmp

Filesize
340KB

Download
memory/2068-87-0x0000000000770000-0x00000000007C5000-memory.dmp

Filesize
340KB

Download
memory/2068-104-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2068-102-0x0000000000770000-0x00000000007C5000-memory.dmp

Filesize
340KB

Download
memory/2068-94-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2072-106-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2072-100-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2072-115-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2072-113-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2072-101-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2072-98-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2072-99-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2236-137-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2236-135-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2236-123-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2236-121-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2236-127-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2236-122-0x0000000000290000-0x00000000002E5000-memory.dmp

Filesize
340KB

Download
memory/2644-58-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2644-50-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2644-70-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2644-53-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2644-68-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2644-51-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2644-54-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2644-63-0x0000000002B90000-0x0000000002CFD000-memory.dmp

Filesize
1.4MB

Download
memory/2644-59-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2644-52-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2680-66-0x0000000001C90000-0x0000000001CE5000-memory.dmp

Filesize
340KB

Download
memory/2680-81-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2680-79-0x0000000001C90000-0x0000000001CE5000-memory.dmp

Filesize
340KB

Download
memory/2680-72-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2680-67-0x0000000001C90000-0x0000000001CE5000-memory.dmp

Filesize
340KB

Download
memory/2680-65-0x0000000001C90000-0x0000000001CE5000-memory.dmp

Filesize
340KB

Download
memory/2944-18-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2944-19-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2944-20-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2944-31-0x0000000002A00000-0x0000000002B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2944-21-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2944-17-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2944-41-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2944-39-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2944-22-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2944-26-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2944-27-0x0000000000250000-0x00000000002A5000-memory.dmp

Filesize
340KB

Download
memory/2944-32-0x0000000002A00000-0x0000000002B6D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-49-0x0000000002A20000-0x0000000002B8D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-34-0x0000000000310000-0x0000000000365000-memory.dmp

Filesize
340KB

Download
memory/3004-38-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3004-37-0x0000000000310000-0x0000000000365000-memory.dmp

Filesize
340KB

Download
memory/3004-36-0x0000000000310000-0x0000000000365000-memory.dmp

Filesize
340KB

Download
memory/3004-35-0x0000000000310000-0x0000000000365000-memory.dmp

Filesize
340KB

Download
memory/3004-42-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-43-0x0000000000310000-0x0000000000365000-memory.dmp

Filesize
340KB

Download
memory/3004-46-0x0000000002A20000-0x0000000002B8D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-55-0x0000000000310000-0x0000000000365000-memory.dmp

Filesize
340KB

Download
memory/3004-57-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download