e9dab33feba496b4ff9ffa4b5f7e7a4cdedf679819fa373b804f7903af61a668

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe
Size

793KB
MD5

11d1bf90af94e5b226880862d0873777
SHA1

c459e445b6fe204f0c827fa273105969618d07cb
SHA256

e9dab33feba496b4ff9ffa4b5f7e7a4cdedf679819fa373b804f7903af61a668
SHA512

f301c292925ca702c743d3f076de67521a2690a64373baf7be6904390e05ba28f63249a1a6e13f995c91eb87b69cd2d3879e8d8c658d6da889437093c03c57dc
SSDEEP

12288:eTsOWptwlMYHUVmkzT5/tSup0DZySyAdr1b0+uJGgZaNtcknzU5cBbOHsh:eQrpmmY0Vm+CupW/0+dlTcknzos

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
868	update.exe

Loads dropped DLL 2 IoCs

pid	Process
868	update.exe
868	update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB888111.log	update.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 868	968	11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe	82
PID 968 wrote to memory of 868	968	11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe	82
PID 968 wrote to memory of 868	968	11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d1bf90af94e5b226880862d0873777_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- \??\c:\86eea3466b033f6e51755775677ca2\update\update.exe
  c:\86eea3466b033f6e51755775677ca2\update\update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\86eea3466b033f6e51755775677ca2\update\update.exe

Filesize
700KB

MD5
13f40799bd1bf4b7e3e8c77194121342

SHA1
2d723e5d9abc98f1432c939cd7626d102469c12d

SHA256
2a12d2bcb26e96babbc82737ffe30d76afe7db8daf40c7c3594d9665d5dfdb17

SHA512
237d7fb124a7b577598e1f2191afc80513992c0af9e290956b82aae18d8c6daeb3dfab457deb3378e2b17d69c17d757faf98a8b5ea0cee7d3c50b18367312aed

Download Submit
\??\c:\86eea3466b033f6e51755775677ca2\update\UPDSPAPI.dll

Filesize
363KB

MD5
94b3ff0f65e277bdbbc5e39747ea034d

SHA1
4bfb51f6d77f5123728c0bf360f4396617c1cd5e

SHA256
5e4f341be4c0627d02282aad5f1df9a73cf9600f41325c0fd3783f119f421b81

SHA512
8643b0b7c38e9fa18d1537bb783a6674e37600d2e882d7ea66c26ffb761eaeeb87a69d04513525c34b2dea964b8a90cd11c4a2e863ac58766c4d5b06ddf47d24

Download Submit
\??\c:\86eea3466b033f6e51755775677ca2\update\update.inf

Filesize
7KB

MD5
c3d577bfbe5f2fd9e8dab41fcf249bdf

SHA1
4f2a0d5a160e57c997f8db98368ff2fee6126d3d

SHA256
8cccfc8ff7744383454694b896191a631a87e4a23369a455513f357d65e2c2e4

SHA512
d1eda71eb66ad058d1537685c308d23010e92cbf5b12629df4765abdeea01dcc9df8d08150c1c244bbb543628728ba8e308649787aaa0bc9d97b01d4975e2595

Download Submit
memory/868-29-0x0000000000660000-0x00000000006BC000-memory.dmp

Filesize
368KB

Download
memory/968-0-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/968-31-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/968-52-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download