1e35a3bb5417e112834245287993abbdd1a83d269cc3bf56935377ba06ef536d

Analysis

max time kernel
137s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe
Size

114KB
MD5

0e7b59601a1686e74cbacafd2ed67d4b
SHA1

a7444f17546821cabf414bdea357800e7d5a0fbb
SHA256

1e35a3bb5417e112834245287993abbdd1a83d269cc3bf56935377ba06ef536d
SHA512

f27b6f3bfdbb2e7a0ed42f264d1dc947483e16f6f0152d62f1eafe13f199619a5c0439bd312ef7ef8beeb64f4de985b44c97db3f48067e98e9beee72c12431d7
SSDEEP

3072:NsOyHDzOoGHK2E8wRX0RDSrrkIAtNLSnFX2a:qOyjzOoGHr9wRvrnAtNGFT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2092	spoolsvc.exe
2916	spoolsvc.exe
2820	spoolsvc.exe
2664	spoolsvc.exe
632	spoolsvc.exe
2956	spoolsvc.exe
2072	spoolsvc.exe
2568	spoolsvc.exe
1280	spoolsvc.exe
2280	spoolsvc.exe

Loads dropped DLL 20 IoCs

pid	Process
2364	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe
2364	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe
2092	spoolsvc.exe
2092	spoolsvc.exe
2916	spoolsvc.exe
2916	spoolsvc.exe
2820	spoolsvc.exe
2820	spoolsvc.exe
2664	spoolsvc.exe
2664	spoolsvc.exe
632	spoolsvc.exe
632	spoolsvc.exe
2956	spoolsvc.exe
2956	spoolsvc.exe
2072	spoolsvc.exe
2072	spoolsvc.exe
2568	spoolsvc.exe
2568	spoolsvc.exe
1280	spoolsvc.exe
1280	spoolsvc.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	spoolsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsvc.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2092	2364	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2092	2364	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2092	2364	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2092	2364	0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2916	2092	spoolsvc.exe	32
PID 2092 wrote to memory of 2916	2092	spoolsvc.exe	32
PID 2092 wrote to memory of 2916	2092	spoolsvc.exe	32
PID 2092 wrote to memory of 2916	2092	spoolsvc.exe	32
PID 2916 wrote to memory of 2820	2916	spoolsvc.exe	33
PID 2916 wrote to memory of 2820	2916	spoolsvc.exe	33
PID 2916 wrote to memory of 2820	2916	spoolsvc.exe	33
PID 2916 wrote to memory of 2820	2916	spoolsvc.exe	33
PID 2820 wrote to memory of 2664	2820	spoolsvc.exe	34
PID 2820 wrote to memory of 2664	2820	spoolsvc.exe	34
PID 2820 wrote to memory of 2664	2820	spoolsvc.exe	34
PID 2820 wrote to memory of 2664	2820	spoolsvc.exe	34
PID 2664 wrote to memory of 632	2664	spoolsvc.exe	35
PID 2664 wrote to memory of 632	2664	spoolsvc.exe	35
PID 2664 wrote to memory of 632	2664	spoolsvc.exe	35
PID 2664 wrote to memory of 632	2664	spoolsvc.exe	35
PID 632 wrote to memory of 2956	632	spoolsvc.exe	36
PID 632 wrote to memory of 2956	632	spoolsvc.exe	36
PID 632 wrote to memory of 2956	632	spoolsvc.exe	36
PID 632 wrote to memory of 2956	632	spoolsvc.exe	36
PID 2956 wrote to memory of 2072	2956	spoolsvc.exe	38
PID 2956 wrote to memory of 2072	2956	spoolsvc.exe	38
PID 2956 wrote to memory of 2072	2956	spoolsvc.exe	38
PID 2956 wrote to memory of 2072	2956	spoolsvc.exe	38
PID 2072 wrote to memory of 2568	2072	spoolsvc.exe	39
PID 2072 wrote to memory of 2568	2072	spoolsvc.exe	39
PID 2072 wrote to memory of 2568	2072	spoolsvc.exe	39
PID 2072 wrote to memory of 2568	2072	spoolsvc.exe	39
PID 2568 wrote to memory of 1280	2568	spoolsvc.exe	40
PID 2568 wrote to memory of 1280	2568	spoolsvc.exe	40
PID 2568 wrote to memory of 1280	2568	spoolsvc.exe	40
PID 2568 wrote to memory of 1280	2568	spoolsvc.exe	40
PID 1280 wrote to memory of 2280	1280	spoolsvc.exe	41
PID 1280 wrote to memory of 2280	1280	spoolsvc.exe	41
PID 1280 wrote to memory of 2280	1280	spoolsvc.exe	41
PID 1280 wrote to memory of 2280	1280	spoolsvc.exe	41

C:\Users\Admin\AppData\Local\Temp\0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\spoolsvc.exe
  C:\Windows\system32\spoolsvc.exe 456 "C:\Users\Admin\AppData\Local\Temp\0e7b59601a1686e74cbacafd2ed67d4b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\spoolsvc.exe
    C:\Windows\system32\spoolsvc.exe 536 "C:\Windows\SysWOW64\spoolsvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\spoolsvc.exe
      C:\Windows\system32\spoolsvc.exe 556 "C:\Windows\SysWOW64\spoolsvc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\spoolsvc.exe
        
        C:\Windows\system32\spoolsvc.exe 548 "C:\Windows\SysWOW64\spoolsvc.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\spoolsvc.exe
        
        C:\Windows\system32\spoolsvc.exe 560 "C:\Windows\SysWOW64\spoolsvc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\spoolsvc.exe
        
        C:\Windows\system32\spoolsvc.exe 568 "C:\Windows\SysWOW64\spoolsvc.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\spoolsvc.exe
        
        C:\Windows\system32\spoolsvc.exe 592 "C:\Windows\SysWOW64\spoolsvc.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\spoolsvc.exe
        
        C:\Windows\system32\spoolsvc.exe 596 "C:\Windows\SysWOW64\spoolsvc.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\spoolsvc.exe
        
        C:\Windows\system32\spoolsvc.exe 584 "C:\Windows\SysWOW64\spoolsvc.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\spoolsvc.exe
        
        C:\Windows\system32\spoolsvc.exe 608 "C:\Windows\SysWOW64\spoolsvc.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\spoolsvc.exe

Filesize
114KB

MD5
0e7b59601a1686e74cbacafd2ed67d4b

SHA1
a7444f17546821cabf414bdea357800e7d5a0fbb

SHA256
1e35a3bb5417e112834245287993abbdd1a83d269cc3bf56935377ba06ef536d

SHA512
f27b6f3bfdbb2e7a0ed42f264d1dc947483e16f6f0152d62f1eafe13f199619a5c0439bd312ef7ef8beeb64f4de985b44c97db3f48067e98e9beee72c12431d7

Download Submit
memory/632-39-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1280-56-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2072-47-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2092-23-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2092-13-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2092-20-0x00000000020A0000-0x0000000002121000-memory.dmp

Filesize
516KB

Download
memory/2092-14-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2364-7-0x0000000002530000-0x00000000025B1000-memory.dmp

Filesize
516KB

Download
memory/2364-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2364-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2568-52-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2568-50-0x00000000027A0000-0x0000000002821000-memory.dmp

Filesize
516KB

Download
memory/2664-35-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2820-31-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2916-22-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2916-27-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2916-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2956-43-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download