f559e2dc77db2285486d54e328d5d0043b82d08badbef450a22f48be333f4959

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe
Size

832KB
MD5

0c434ff66527df8a4e76a16945f1ff68
SHA1

1e45c9bc6acb7c97f1a7af8bdb6078c4295e47a7
SHA256

f559e2dc77db2285486d54e328d5d0043b82d08badbef450a22f48be333f4959
SHA512

90ff3a2697a323b9b6d4ab000cf50136e6f908ca47e9d2a52304b9e9b00d8bba09c2be3a1af469b59e82a0f41fb66e02c5ed9be477511010430785b73452154a
SSDEEP

12288:AuS+m1nBUtOcDvsEOh9UmYbd0AZXGkLjS/nhXamCLDy4uYlzlnoHY698EwUFN1L:7BSnBUtOcDvsimYxJw8LUJ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2844	f768a07.tmp

Executes dropped EXE 2 IoCs

pid	Process
2844	f768a07.tmp
1908	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
1636	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe
1636	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe
2844	f768a07.tmp
2844	f768a07.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f768a07.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1908	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2844	1636	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe	28
PID 1636 wrote to memory of 2844	1636	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe	28
PID 1636 wrote to memory of 2844	1636	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe	28
PID 1636 wrote to memory of 2844	1636	0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe	28
PID 2844 wrote to memory of 1908	2844	f768a07.tmp	29
PID 2844 wrote to memory of 1908	2844	f768a07.tmp	29
PID 2844 wrote to memory of 1908	2844	f768a07.tmp	29
PID 2844 wrote to memory of 1908	2844	f768a07.tmp	29

C:\Users\Admin\AppData\Local\Temp\0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\f768a07.tmp
  >C:\Users\Admin\AppData\Local\Temp\0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c434ff66527df8a4e76a16945f1ff68_JaffaCakes118.exe

Filesize
771KB

MD5
0747cf0848425d7efc794ed0dfbbf9ae

SHA1
b7b57e5e9eb4f71713eb2c70212359a5341db1cc

SHA256
10729fd58582bb56dabc204b2b8dacf306148b8d92a346d60840b8b3959c8669

SHA512
a552f254175a233bd26a496a5bcf0f066d78138a29d59f5ba1580454dfb8e634b1be5d7a463d6e82ba56a554cb7bcf57953e51ece6b56a1ccaf4149a8c4e8653

Download Submit
C:\Users\Admin\AppData\Local\Temp\f768a07.tmp

Filesize
832KB

MD5
0c434ff66527df8a4e76a16945f1ff68

SHA1
1e45c9bc6acb7c97f1a7af8bdb6078c4295e47a7

SHA256
f559e2dc77db2285486d54e328d5d0043b82d08badbef450a22f48be333f4959

SHA512
90ff3a2697a323b9b6d4ab000cf50136e6f908ca47e9d2a52304b9e9b00d8bba09c2be3a1af469b59e82a0f41fb66e02c5ed9be477511010430785b73452154a

Download Submit
memory/1636-0-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1636-9-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1636-4-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2844-11-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download