67f7328ec683d0b316f4af2dd34c8411dbf7c1dfbb1dff7cb0b8f7812c36913d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe
Size

19KB
MD5

0c682ff3e5b06ea55546a7ee8eac6c9c
SHA1

8e1cc848e294b319f47a2f38ed4aad154fea7b05
SHA256

67f7328ec683d0b316f4af2dd34c8411dbf7c1dfbb1dff7cb0b8f7812c36913d
SHA512

1050592e1802d866a4eedeefc2dddb4e0c2a5140e208b7faf38bc2bbee7f380aa4f03beff4ce6e944cfe26a67cfd786a113a7d8e7dfe9640b2d08cfa58aae750
SSDEEP

384:P0qYE38hIxuA+Qjsh8KRJqfhVpn4t3Bh:cKGIxR+lfzqpVp4t33

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2480	0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c682ff3e5b06ea55546a7ee8eac6c9c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~!#205A.tmp

Filesize
4KB

MD5
43ffb6fbab7699effa77a918a43f517a

SHA1
b1ec20c7d069471306c057c7f0f346c2238a4098

SHA256
f9d3303058e3ba5d5a782320145583786f9466c9842d358d6edd81ef73fc5e9d

SHA512
81e442dd2d6701b120bff0750d5a44d4f7d166d69034b826da1b88cbb709ed38efdd7550fcd22222e3418620d78c47ab77579140e3309f2d4def050b4305fd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#2811.tmp

Filesize
13KB

MD5
53eec2b95c871f0f045484a8f70fe0d1

SHA1
bb855433fa2485ae4a83e07c939dab5f948cdf09

SHA256
4500b68058f881fb77a1a69d7776bb96b3114bc6a0f0943020906bddb9df5dd8

SHA512
194383020acb1fd82d75854162125450fbe91ab5a8eb5c5f68c70a352cd95f775ecdd912f25f63ff675acb0a52fa5563c2958a9a93792d185631100cd5f8e0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#3478.tmp

Filesize
13KB

MD5
84b6370f03ad5daf394ab7b753e9e899

SHA1
b61e8e9ad872ef4a7e634c59df3c1661faa84c15

SHA256
b5542e8f2237b36c2b59fd2a629589a788c05ac86900890d9203f716502db2ae

SHA512
4eccb90d32d717002497ce8cb26a1018310624f1cf0f70689c37475976796cc4f8e9d1b5c7a30691fff5014a9ef00fb3df59b0981980cfeb7b428d3cb25631dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#416C.tmp

Filesize
20KB

MD5
724bc5f333a5f583c972972d6f9722d4

SHA1
99940c70197aa902e585294744d4ae8556e3e201

SHA256
14cff447414941f6b735e224c2eccab61dbc1907cb6a7b955064c052c6ec8eee

SHA512
38a13b9db304ce2ba14696ead0dbdbab7aaef02f3205c7cf876a9a100bbc6b748985dfb6a401dfc5462af73c11fe11aa45dddbf61a12aa088079cd8a513c15a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#42F7.tmp

Filesize
6KB

MD5
6454a4082f02b40ed71860a7c4ea2e60

SHA1
965fd8fd7b2a9a8e8209a5a8cb3ff08e8969a2ce

SHA256
262f01609fd373d53ebed92e41054393ddb3a45250750be7dc353d52351c0eaf

SHA512
243fd1cd3e6c5dd3fd435b9e8d050e6743a5ac48e3c0cb1e08f00f8093d5f6e602023c7eae38262e6bf43e8c93a10c225be7fdfb2455f99a27bab5f9ddac0808

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#47F5.tmp

Filesize
4KB

MD5
34392dab3badf1aa9d8e5c7a54ca7465

SHA1
4ff83fb0e1bc3804a3890a8ef07aa8fec8597a4c

SHA256
096b24f6600695536ad002b3b4484ef64eb37632325fb657dad48dd79dce57d8

SHA512
63b3fb49a719933097c9d8420f12ddec5c07a3636a262c6ba7b787bf54933557d0091617d3bf561ddd7b23dfc21efe77351b728993c20278c77d338f055db94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#48A2.tmp

Filesize
11KB

MD5
d5a6d9cdf7aebfa91c30b0772df2cc8d

SHA1
aa073f6e23520ef7e0d42480a672c38c58e30295

SHA256
095f6a194aaeefb2c7ff0fc07dbd6a797b85ae25abc4ba84b0616bed23eb8b79

SHA512
acc20a7bcd11ba1855f7c28b0b3915bc25c63ada8e6ea1e7cad3e428d8750bd41d928003637761ab3c1bf4fa5d66cbee402449e88377a8d2b250c1d68b416409

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#4A8C.tmp

Filesize
11KB

MD5
432ec51300eb44285e1ee4927b761b87

SHA1
b49a2951e830cda328dbcd08b373edbf23cfbbde

SHA256
2e07c528d3db0d8bfb9e7d87592ac98796eb3e3951a2dd298073787e2b469436

SHA512
9ae42f3412ed1699ed350e4665ce0d199909b3a41fb3237d9fdf6244d9575c6eb5ef415d658760eb56f4b24134f84c325296f2681f7ee61367155423c00d7015

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#4ADB.tmp

Filesize
10KB

MD5
0adb8c2334044f0b5abfeccaff16ea7b

SHA1
a69bf26a0bb8e0a679613b2936993dab7e7824c1

SHA256
153481f146d57f8545c6a42740a8436f5e26cea50937659a27c3a9c829da3a11

SHA512
595d2bd18ee79af1d417be37aa5df65a1eed537a7f2012b9f27f8eab1836f151bcc9c5be422f98210cff91fb52999fc1359b0d9a047ebdcfa61f721e47f76117

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#4B2A.tmp

Filesize
10KB

MD5
51c86a5c504c3c14795b90cdf24e5feb

SHA1
5aefee8f23753b9841b094c72907226ee899665b

SHA256
a0f078d0485f6b83a81257040259572e71d7e57d9ccd0f03e675221f83a89fde

SHA512
359b16336917c52ea71a28b971ceea3dfc7a327ca79dedc3eea46492a40892e2d166ecca9d15761c29691b17a21d8dc91279098a9ab7e5c0faf7781046c421a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#4F2D.tmp

Filesize
10KB

MD5
585d591653571b371cb949083ba299dd

SHA1
cd975270fe87e20042104f38d7d8a71f62e40c74

SHA256
474c578acb65197ed896c26d887ac278b298101003954505f6035343ecc4860a

SHA512
001a497e179b6ef5f2f94cfc47d7247b215d03f564c9cccea7deab672edbc05f3a45163f6bc7405891fd63b0e7b8eb2b7f1203efea2eeb83bb23790e94dd24b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#50B8.tmp

Filesize
14KB

MD5
8b44b03ca0211146b700682b06562574

SHA1
48e8bd447e437f8404c3e5bd0d3476403eff9fc7

SHA256
f75d0f54c2f3831214ce9ca7c4bd27dc11ab5a82f7ff146dd323c57216d16c59

SHA512
54591b97a9db9e8b89526eb8389e3bd8e583b9611438252551e30227dd0c868382673cf5e3f22662543c80e976011a1840a0e9c8c3e439cac196f12fb3a45ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#530F.tmp

Filesize
7KB

MD5
f374524e069498269f709268dc669ccb

SHA1
66ce35f12d60cb47c090f05054fe4ce5fdf7a76b

SHA256
7bef800185d20a5a13c3d4b081c67f85f6ba9f99993b647e0decc54651d94db5

SHA512
1dc27ab6f44c0de8a69e00fe44cae09b0ceed109bfcaa67c7a90325d1be462fc2f7bdc027a3518905b929a61f5b24e02f37bd7a7c5eb0296ee823e9593f0e1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#56C1.tmp

Filesize
11KB

MD5
985695d43150efe560c984ab98b35b93

SHA1
030efdf7d332da150e9d0adb47aac3e37e7737e6

SHA256
0dfe62d8bfcc85f2e6ecf660df965abbd8827779bd3ba8b77a525c94c89fd136

SHA512
054f3a4aa135b55b68da366768832b654c326710ffdb69e9815a7c247e384018577ac62f41abbc31cd8c058f27226f4c2a0a30b04417bd79aa99a19ec3d1ce64

Download Submit
memory/2480-44-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2480-0-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download