4ddbd7def9d00a51bcdeb0e4567399b04097dad90258be1d4e77159d444fb3ab

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe
Size

3.5MB
MD5

0f53d7bb262a0d4802603023d0bf2a95
SHA1

2678640d791de6a9f062f4496ffcd800acd607ee
SHA256

4ddbd7def9d00a51bcdeb0e4567399b04097dad90258be1d4e77159d444fb3ab
SHA512

024251791a25c5ebcb3328711d597fa75c423920bd9ab99e2afb940e12365c2fca6a07f68ffae12882fbe2d103eebb5ac71739b6a01c0fee833563feb7ea9a0f
SSDEEP

98304:xDb1W97gehfxzpYPMp4ykwD6oActSY5T/Mgl+MDZYdOxN9a:xtcgeR3PzD6oAcnz6Mtay9a

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe
2372	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2372	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2372	2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2372	2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2372	2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2372	2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2372	2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2372	2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2372	2560	0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f53d7bb262a0d4802603023d0bf2a95_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fppr332.dll

Filesize
276KB

MD5
304fc15fb63e8d4f368363ceca5a9767

SHA1
f9587c982bcb32cfdd5f7131a643dc8b4ac1ea31

SHA256
6c36b2f06d5533a11e00ab8e501eb832cafeb60d668c6dcb2dcdace47984f359

SHA512
7e5cffcaa8030fc75c2192087ca7f4722b0acfc56331faabe53805c4ba7b04ec9f8671f64174aefd50a1fca4bf4485c5a35d0fd6e60c55d806bd7810ff18a6c1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
536KB

MD5
7a31a09d74c5fa0e164bc01b19ea7080

SHA1
e470dcf010585e18d35be4d657ac45852bfb2a96

SHA256
7132ab7bfa8dd225a36e7fe9afa74c7c49c41926b5958a19a7b7f6ab7f7d052c

SHA512
ef45a32028a6778067d2667ab74a5aeb49f41368cecf0465aa0449849ecbd52c01018e975613c9a8542f13b0ee7b666a883ebf2a426de02a9c5bd5b4b494886a

Download Submit
memory/2560-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2560-94-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download