c87ac5f7b9521a3355f60a0b526eac8aba93d41a32d1c16473ab4b5100bfc005

Analysis

max time kernel
142s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe
Size

141KB
MD5

26ed75f24f23cb0d42ada6b200cf99ec
SHA1

71fe1d82dc721478dd4957c27df1c430fd2b7854
SHA256

c87ac5f7b9521a3355f60a0b526eac8aba93d41a32d1c16473ab4b5100bfc005
SHA512

069227b8b1a334ad1e48f20a40d615669c9d9228b7a3fcd01829c9a8d9256a73ed3fe95e5eaf3f24d750f0b0c5218e77a567aa1263f80bd9c02278d954a23fbf
SSDEEP

3072:ZGu9BlfzWIbXWm+w0Jz5iyhC33O+99/ABUC+BciLb1vQyoFYkTNiP4Oy1Ek:Z/0uodC33O29AqCQ14FjRiP4xl

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
628	ppi.exe
116	ppi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 628 set thread context of 116	628	ppi.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppi.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
116	ppi.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 628	3984	26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe	85
PID 3984 wrote to memory of 628	3984	26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe	85
PID 3984 wrote to memory of 628	3984	26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe	85
PID 628 wrote to memory of 116	628	ppi.exe	87
PID 628 wrote to memory of 116	628	ppi.exe	87
PID 628 wrote to memory of 116	628	ppi.exe	87
PID 628 wrote to memory of 116	628	ppi.exe	87
PID 628 wrote to memory of 116	628	ppi.exe	87
PID 628 wrote to memory of 116	628	ppi.exe	87
PID 628 wrote to memory of 116	628	ppi.exe	87
PID 628 wrote to memory of 116	628	ppi.exe	87

C:\Users\Admin\AppData\Local\Temp\26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exhelp32.exe

Filesize
5KB

MD5
380b9372ec84759cc38caeb166c618c3

SHA1
508810be3f0969377207795040b3bd0e95955b9f

SHA256
70e9fdb3b9e717e18816093b718200ca42ec202280c1ba281ecc91839d37c01a

SHA512
d3e1d96a0fb6425a8fcaeabf8d20c853a8fa2a8210c0d0886396ee6716fd4c5879cf9ea66bf014f9c50341b1e1616307482b977779a510debd6d63c26a1091a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
164KB

MD5
d31d600bbdc5a27f174252df5d3ccc01

SHA1
7a93cef8500d12c00678ee13e728036dd843cb35

SHA256
97770efd6a2c1ede7e8aabb53419380d2fa4221d9b1dace6c1c59a5203f15459

SHA512
63b40061a9ebb4cfbd2e580bf5d31eb08e5ed0cb1823b2aea7ae85b48e008db63e6831dd1c004ef8a593e83db7eced7486659e881a62611da1d6bf509941601b

Download Submit
memory/116-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/116-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/116-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads