72df28bf5d9494ea2ca557a1117c8efcc671d39bc0c0bb401785796136c33b6e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe
Size

236KB
MD5

109b6a66878c4b1310f607c3b215bbe2
SHA1

4dc19d05b6b622ff9db30ce28ad99adda7d1d54e
SHA256

72df28bf5d9494ea2ca557a1117c8efcc671d39bc0c0bb401785796136c33b6e
SHA512

13ac357e343f9d8fe05e9ab2b5c7ac58a8d1c2dc3d56d45e59928de293d51e55d4479390d9c4a6b02c67ee751dbc12eb04e710964c081e07cafb5817884528c7
SSDEEP

6144:WIEaeNJ3XTBcdoRs8kJdhnnsIW2Y/m+0HXEjtra:PEao3DB4oy8wdhnns3p+utO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
268	uninst1.exe

Loads dropped DLL 5 IoCs

pid	Process
3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe
3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe
3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe
268	uninst1.exe
268	uninst1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst1.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 268	3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe	31
PID 3008 wrote to memory of 268	3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe	31
PID 3008 wrote to memory of 268	3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe	31
PID 3008 wrote to memory of 268	3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe	31
PID 3008 wrote to memory of 268	3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe	31
PID 3008 wrote to memory of 268	3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe	31
PID 3008 wrote to memory of 268	3008	109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109b6a66878c4b1310f607c3b215bbe2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\uninst1.exe
  C:\Users\Admin\AppData\Local\Temp\uninst1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gentee12\guig.dll

Filesize
20KB

MD5
8757cd8c68b85d668f15befc13251d5e

SHA1
4ac9df9e507727072644e03815ab2f872e72fd89

SHA256
96d1906ef8f1ac224830da79bc9492aa21ffbacd4caa4fb44cc64dedf09047a2

SHA512
9a3286826d1ce780ce699dfd8d1244a94ce8700a89c75f2dbcfbae19e8609d243754067385364bdecb91e9108c11c062564e2d045652977faaf2e92d129b1a4a

Download Submit
\Users\Admin\AppData\Local\Temp\genteert.dll

Filesize
60KB

MD5
ceb49a8552067f2b08c93aaa38da3d12

SHA1
7f4275ced86f448eb29f0b26cf5fe86fe43c783f

SHA256
904b926c5359a4058a80057cdc4bed4c0be43c2e1c8993e870cbab69831a84b4

SHA512
d2a593bc04a3497b7cfbfd2a89add0dbf87f1e2fd159af9b44155cf3d35e16b3a4ae7ada194db94258385c5b9de49abb1e3ad8d26cbfc444d03798433e8e843d

Download Submit
\Users\Admin\AppData\Local\Temp\uninst1.exe

Filesize
236KB

MD5
bc8f887820d197a12a1970b0fa9357e3

SHA1
49d916bf5199c26fd077729376ea8142ad40ae3d

SHA256
e8355f2501167ccc1a41e985d773a2864e70c8a995ee57dfba767367fbdacc3f

SHA512
5e3ff64fb796a83701ab3273f0bd66733e1975567175424fefddf74973a3e3884c996559f531c6f7f1a633ed09ac2939f9cb836e7a133c820664a2992d289d63

Download Submit
memory/268-22-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download