d591c8b30c75b48712506b495c23051f186b822755f82a08e35f372d5f0d3f10

Analysis

max time kernel
103s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c02d3bcfe8a00a74a2807fbbe50e647_JaffaCakes118.jad
Size

38KB
MD5

0c02d3bcfe8a00a74a2807fbbe50e647
SHA1

1c1958541564c3b3b775c8b1c6b31f86f3bede2b
SHA256

d591c8b30c75b48712506b495c23051f186b822755f82a08e35f372d5f0d3f10
SHA512

e6b5d54fce6869bfc00b3f1281c027c066156735fecbb5d177a8fc6eabe2174f9e3115200beb700b906dc1042c80ee85db331c92c4f48f4c3e8af6437d84e5ef
SSDEEP

768:KeVSY9TMQMhHGWJDWrAJ890hMIt+ibNfB3SmFV2wnl+35zCkFx:hVSqTMsQJ8mhkibV0mFkwlbkL

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2824	AcroRd32.exe
2824	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2908	2572	cmd.exe	31
PID 2572 wrote to memory of 2908	2572	cmd.exe	31
PID 2572 wrote to memory of 2908	2572	cmd.exe	31
PID 2908 wrote to memory of 2824	2908	rundll32.exe	32
PID 2908 wrote to memory of 2824	2908	rundll32.exe	32
PID 2908 wrote to memory of 2824	2908	rundll32.exe	32
PID 2908 wrote to memory of 2824	2908	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0c02d3bcfe8a00a74a2807fbbe50e647_JaffaCakes118.jad
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\0c02d3bcfe8a00a74a2807fbbe50e647_JaffaCakes118.jad
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0c02d3bcfe8a00a74a2807fbbe50e647_JaffaCakes118.jad"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cfea13ff32da151ad9d3e02febbfae97

SHA1
09eae7093a5e992063a5508af0ccb65dd60d9b87

SHA256
467db5c32f14baa250bf72635107026c365af62e47d1af1ea36befa96d43b548

SHA512
044956e72274fb84d49f3472601a38a7c4424871906e431412ca5b2a02726ec418e59257cb93082c5de22dd470e0b1091ea12e2f86a9f589128ae217054aca0f

Download Submit