23914f9b9807d142ea60691ea70e16fd8237bb1e3544faaecd78e114537416fa

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Size

1005KB
MD5

12e9927d52006fdfb16919e0ccdfb670
SHA1

128643ef042e58f53b0d493441afb5ef6fa61bc5
SHA256

23914f9b9807d142ea60691ea70e16fd8237bb1e3544faaecd78e114537416fa
SHA512

76dae07dd4b99f1bffb9bdbe79b07a2246f31271a288562adff5e6d9af4587c1234895ac651c55025d27de4e4d623adf266aaabaf0735791900a628c8d981ad1
SSDEEP

24576:5aK/eDpS1eAR+XTQeZaSyYE5Qs+B9Kfyl/QlrnRdyNCMNqL1Xi:3/e9jCST5ZHyYE5hboir91Xi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2364	svchost.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
2444	svchost.exe

Loads dropped DLL 14 IoCs

pid	Process
2364	svchost.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000186e4-10.dat	nsis_installer_1

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1956	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2364	2332	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2364	2332	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2364	2332	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2364	2332	12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1956	2364	svchost.exe	31
PID 2364 wrote to memory of 1956	2364	svchost.exe	31
PID 2364 wrote to memory of 1956	2364	svchost.exe	31
PID 2364 wrote to memory of 1956	2364	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1956

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\btwarning.ini

Filesize
190B

MD5
196a035a4b877d0fa9c3fa082919f65d

SHA1
09ae3fb430a11970424c643a4e1dd85e3bac6d95

SHA256
19908ebd28db7e4c75d37b98112970f8ac468403b62bdaad4d519f03f352438f

SHA512
1483c0a6ae96a2707480bedcf5f0c656e2b1627f21127750957df12aefd284abe3d94e5dce8e64a4ec7513a161fc75d8997f9e938d20703d4f8b92e355825cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\ioSpecial.ini

Filesize
688B

MD5
a37c37be21f83f2831a05fa029b469d2

SHA1
873ebb0e4fd1b00ae11e8eebdb31469e56811726

SHA256
01e04d0e0571c0387d73129f1e44e09608d3375d31012fc744183e66701ab70b

SHA512
89fc5899a8b845cb58eebd95e7e8ecd9b28732183406926205d318719c0d1f9d4d8a3a03ed7fd56cca07ec73cc335b6980099ed1cd469bfae1a3ae3aab667c72

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\12e9927d52006fdfb16919e0ccdfb670_JaffaCakes118.exe

Filesize
969KB

MD5
4aa7b3644724f2da70054eb3c4f92c78

SHA1
e18fbb8ca40ed86c3793474cc35f427e669cddea

SHA256
0ba8d7841aa524ef55b0c9ce4557b7286e0bb5eb2195ef1bd03c7dab8da9f10c

SHA512
7b703024d6328b20ea4bd27885a6cdcfdaef14a4d48df998e9eed80c3b04e0171d2c87cc36a8277e3d599c6529df8c4635c59a5503113a6bbc6344e010a08e05

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\CustomLicense.dll

Filesize
2KB

MD5
6c20819f7b1b3c25b4cc2aab38bdc6c3

SHA1
005c475c579cee2c60d77642d6d9586e0884964e

SHA256
156719e9b9f965f0e205aeb9e4f07254ea0576fd422f7e90e8f1d90e5fc51050

SHA512
635b602c451a8f29e6618670ebc08753d0008025fc3f0ca7619eaa578a76acaad1a88f86df9be64a3dd50db849e6513e465b1a3eda006da16b9ec03c566de2ea

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\NSISdl.dll

Filesize
14KB

MD5
1413350c401e65ee4666fa36c9d8997c

SHA1
acab76b047c0512125de49fead6b84e92da0b0f6

SHA256
aff65714ba229568469a9addf9b2b58e4bb169ee94ac423523e12afa9ec28365

SHA512
9b46512941e2ad8ef47f0024a0f0e069743c714dd5c525bbbfc9dd871696a121b53236757225257495ba8a1a71f68ea79a324a84503a6f0a3d3c40990aa1f160

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\Processes.dll

Filesize
35KB

MD5
2cfba79d485cf441c646dd40d82490fc

SHA1
83e51ac1115a50986ed456bd18729653018b9619

SHA256
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

SHA512
cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\StartMenu.dll

Filesize
7KB

MD5
4973362a84e11dd8541387ab1694afcc

SHA1
b78a0fe67c07713c7abd9668b881c4bc808d9a7a

SHA256
7757518466b21ce175607f10599f26fff127d59a16dc10bf4ba4b7d83d13d47d

SHA512
65c305eced5cd81fe3a573827d62a33e400f03d5bfcb3b3a503927bc0decaedef5d74e6d1ba25a0601fe812f8d2424887d58211c3f3cea1442643f5d1c23c2fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\System.dll

Filesize
10KB

MD5
86b5a07a43b7cbc5c49263b8d974b736

SHA1
78388286a311810d812c13d87dea12d581713e60

SHA256
5897fb00be38e502fb5dfd047d97e5e4da6387a7a6259633dc31c2427612901b

SHA512
dcbe379c28302bb3472339cd24949b16548fa0003882a920df6839078cc7b2563f058a0524bf25df0a5ec8b08e302ebc9e646033109958669d8af883af959ffe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC0B1.tmp\UAC.dll

Filesize
16KB

MD5
acfb66ee6fc1f4266229ec6098fe1740

SHA1
e1aeb31b11996015d7f17308e2f2bbe69d4e1476

SHA256
6d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e

SHA512
bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303

Download Submit
memory/2332-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2364-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2444-175-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download