5ea3ba4978a6d36f509aa3bcf8b11fe6b6ce0bcae53afeb20a1bfd97c9af56c1

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
Size

165KB
MD5

14c916f564d38ab6a1f2433acb77b40c
SHA1

fb1840eca54075edf9daf1afe6abbd8ca254bb5e
SHA256

5ea3ba4978a6d36f509aa3bcf8b11fe6b6ce0bcae53afeb20a1bfd97c9af56c1
SHA512

3ddcd21a371b4d7ef6b7fbbeaa637439935644bc11aca931f0bb81df2f46561d7a878ef4be0bd6eb3a7e51c8b601fcc050634f3aab96ac508511026e258c1bec
SSDEEP

3072:Y4HCWau/PlYeuL7ZLFh6Ca6cbL9l2hzB3fJCC6j8+Er6ez4w:HiI/PlY37ZLF4Ca6WABqBOvsw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	ins8397.exe

Loads dropped DLL 4 IoCs

pid	Process
2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ins8397.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	ins8397.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	ins8397.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2116	ins8397.exe
2116	ins8397.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2116	2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2116	2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2116	2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2116	2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2116	2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2116	2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2116	2120	14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe
  "C:\Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe" ins.exe /e6932806 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe

Filesize
257KB

MD5
ae117f47bd80e5dcf72cf81347fceb73

SHA1
1cd3e4c5fc9fb317b7a8eae6c94d53078800b635

SHA256
49b0ec8a4000cb30f15b318bef4b6f59be2d0f7365be4c4b2b4fd5607e16e23c

SHA512
72d322ec9b13e9ede1967707129f2941328ec75487aa5ea205eab0780ef26c33f253204ce08932052a6ed19d13bd62e68b4f795ef17717b9f31e5a76a9f0c16f

Download Submit
memory/2116-20-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-17-0x0000000074771000-0x0000000074772000-memory.dmp

Filesize
4KB

Download
memory/2116-18-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-19-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-21-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-22-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-25-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-26-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/2120-3-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/2120-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2120-23-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2120-24-0x0000000002010000-0x0000000002020000-memory.dmp

Filesize
64KB

Download
memory/2120-27-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download