69f370597c62d8f4c9af2f0feb1312416f8ffea4b449763deb2782cadde00c43

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe
Size

127KB
MD5

116b02350a8a0d8043cc717a7352410e
SHA1

d44a65892a775b7ee07b15fe78fe9e4f8dd77995
SHA256

69f370597c62d8f4c9af2f0feb1312416f8ffea4b449763deb2782cadde00c43
SHA512

f6d38464295d64b97cbf8b85238186e74a12b5cfcc7c8fb800aa3d5b59b0ad8e273e813f42d01514d327f01b34a031add38761314be534f74f16845b470bbe9c
SSDEEP

1536://zYNeLx9iECnLTkzZRVkS+E8O0Nxu/7oKslhxtTUzM+SEusRG1uDVBf7KCtbVrq:z9KDHkzZjoVffQSEuZeVt7KG2ZR3cW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2748	1388	116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2748	1388	116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2748	1388	116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2748	1388	116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\116b02350a8a0d8043cc717a7352410e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dwj..bat" > nul 2> nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dwj..bat

Filesize
238B

MD5
058261a67887344bbc054335b47dfda8

SHA1
53fd49128582240ca471cc9531b9323cc2c93bb5

SHA256
475328bab589daae2b1d950bf92159289944f9d57d48a4e85afd24a0f8d328b1

SHA512
462ed43de6f7c5f42a029e4eb6d5245e10017fbf0043e8bf330e9c9bff6300e4712e8dbd458b5523ec6f0af64b85a3acf3ad692d58c294034f574cad05d2ccad

Download Submit
memory/1388-0-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1388-1-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1388-2-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1388-4-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download