e3a6cf97fd5df7d58c7a9b5f446ce73827c32574dde045e6937854398b74ee7e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 00:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe
Size

58KB
MD5

2794bd460590f04fa6fb860d58101210
SHA1

ccd2606d3af2120344bf67a26c80c16519dfa6c2
SHA256

e3a6cf97fd5df7d58c7a9b5f446ce73827c32574dde045e6937854398b74ee7e
SHA512

ff5b0cbb754f3535e81b1fb93d2184a4a673ccc8c5c874df412222e6d28529a3814851d69ab227023d11b63773973c6e80f365289f85190f89954e1161afc79d
SSDEEP

1536:hA06JXwidibqT/KoZXyYfqPxocJkc5A6SZvL:3k5oqzKyCYqv758L

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
3032	winamp.exe
2840	winIogon.exe
2836	firewall.exe
1996	winamp.exe
1072	Isass.exe
2568	winamp.exe

Loads dropped DLL 12 IoCs

pid	Process
2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe
2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe
3032	winamp.exe
3032	winamp.exe
2840	winIogon.exe
2840	winIogon.exe
2836	firewall.exe
2836	firewall.exe
1996	winamp.exe
1996	winamp.exe
1072	Isass.exe
1072	Isass.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	Isass.exe
File created	C:\Windows\SysWOW64\yrqmprim.bat	winamp.exe
File created	C:\Windows\SysWOW64\winamp.exe	firewall.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	firewall.exe
File created	C:\Windows\SysWOW64\vhcthhm.bat	firewall.exe
File created	C:\Windows\SysWOW64\ezulpzt.bat	winamp.exe
File created	C:\Windows\SysWOW64\firewall.exe	winIogon.exe
File opened for modification	C:\Windows\SysWOW64\firewall.exe	winIogon.exe
File created	C:\Windows\SysWOW64\Isass.exe	winamp.exe
File created	C:\Windows\SysWOW64\winamp.exe	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winIogon.exe	winamp.exe
File opened for modification	C:\Windows\SysWOW64\winIogon.exe	winamp.exe
File opened for modification	C:\Windows\SysWOW64\Isass.exe	winamp.exe
File created	C:\Windows\SysWOW64\nngbm.bat	Isass.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unjb.bat	winIogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firewall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winIogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2972	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2972	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2972	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2972	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	30
PID 2960 wrote to memory of 3032	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	32
PID 2960 wrote to memory of 3032	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	32
PID 2960 wrote to memory of 3032	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	32
PID 2960 wrote to memory of 3032	2960	2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2824	3032	winamp.exe	33
PID 3032 wrote to memory of 2824	3032	winamp.exe	33
PID 3032 wrote to memory of 2824	3032	winamp.exe	33
PID 3032 wrote to memory of 2824	3032	winamp.exe	33
PID 3032 wrote to memory of 2840	3032	winamp.exe	34
PID 3032 wrote to memory of 2840	3032	winamp.exe	34
PID 3032 wrote to memory of 2840	3032	winamp.exe	34
PID 3032 wrote to memory of 2840	3032	winamp.exe	34
PID 2840 wrote to memory of 2756	2840	winIogon.exe	36
PID 2840 wrote to memory of 2756	2840	winIogon.exe	36
PID 2840 wrote to memory of 2756	2840	winIogon.exe	36
PID 2840 wrote to memory of 2756	2840	winIogon.exe	36
PID 2840 wrote to memory of 2836	2840	winIogon.exe	38
PID 2840 wrote to memory of 2836	2840	winIogon.exe	38
PID 2840 wrote to memory of 2836	2840	winIogon.exe	38
PID 2840 wrote to memory of 2836	2840	winIogon.exe	38
PID 2836 wrote to memory of 1160	2836	firewall.exe	40
PID 2836 wrote to memory of 1160	2836	firewall.exe	40
PID 2836 wrote to memory of 1160	2836	firewall.exe	40
PID 2836 wrote to memory of 1160	2836	firewall.exe	40
PID 2836 wrote to memory of 1996	2836	firewall.exe	42
PID 2836 wrote to memory of 1996	2836	firewall.exe	42
PID 2836 wrote to memory of 1996	2836	firewall.exe	42
PID 2836 wrote to memory of 1996	2836	firewall.exe	42
PID 1996 wrote to memory of 1992	1996	winamp.exe	43
PID 1996 wrote to memory of 1992	1996	winamp.exe	43
PID 1996 wrote to memory of 1992	1996	winamp.exe	43
PID 1996 wrote to memory of 1992	1996	winamp.exe	43
PID 1996 wrote to memory of 1072	1996	winamp.exe	45
PID 1996 wrote to memory of 1072	1996	winamp.exe	45
PID 1996 wrote to memory of 1072	1996	winamp.exe	45
PID 1996 wrote to memory of 1072	1996	winamp.exe	45
PID 1072 wrote to memory of 1212	1072	Isass.exe	46
PID 1072 wrote to memory of 1212	1072	Isass.exe	46
PID 1072 wrote to memory of 1212	1072	Isass.exe	46
PID 1072 wrote to memory of 1212	1072	Isass.exe	46
PID 1072 wrote to memory of 2568	1072	Isass.exe	48
PID 1072 wrote to memory of 2568	1072	Isass.exe	48
PID 1072 wrote to memory of 2568	1072	Isass.exe	48
PID 1072 wrote to memory of 2568	1072	Isass.exe	48

C:\Users\Admin\AppData\Local\Temp\2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2794bd460590f04fa6fb860d58101210_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\nhiult.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Windows\SysWOW64\winamp.exe
  C:\Windows\system32\winamp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\yrqmprim.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\winIogon.exe
    C:\Windows\system32\winIogon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\unjb.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2756
  - - C:\Windows\SysWOW64\firewall.exe
      C:\Windows\system32\firewall.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\vhcthhm.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
    - - C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\ezulpzt.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
      - C:\Windows\SysWOW64\Isass.exe
        
        C:\Windows\system32\Isass.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\nngbm.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\winamp.exe
        
        C:\Windows\system32\winamp.exe
        7⤵
        Executes dropped EXE
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nhiult.bat

Filesize
242B

MD5
86dbab0c3055c7cfd4f8e5314ae62af4

SHA1
2801d076b105f14a63dcb5073ae28626ca0d9184

SHA256
884394eb03c187395cb3d03fd2e8bee0ce69d7809d4c8b3167b0a12bd56fb126

SHA512
982c1e2d19d393bc67c97d65794579e09933f1eb1dc827560c04c4b250ada6e3a3d28aaa2343f8ff389ba9bca0bf63f2913163d132f91c99c6514c7451b4d9be

Download Submit
C:\Windows\SysWOW64\ezulpzt.bat

Filesize
123B

MD5
9a37c0acb11d4c1221a48441f3349e3c

SHA1
2c925cf181e68742a803cb1f6a5ca4c5696545be

SHA256
e27fc0351d59b3e45c7e3e340a0dda4dfeb04b6e882c26c244d232efe7f91d67

SHA512
d2533b202d90462ca27bb4b8d35ded7e48cff1bd4d65a8a479c15f04f789c86dd274908b38d82262681ec97f9aa279c36011a0b698e6dbc9b15b8e34d8a845e4

Download Submit
C:\Windows\SysWOW64\nngbm.bat

Filesize
118B

MD5
06acfd36d91a03d2e982ffe2c900834c

SHA1
ef2a2102f5fbb547e78a900257cf2470da8bb6ad

SHA256
c2628f682ec3fe41f6c8e1b70c4d459aa96df981e4efab704d851e9854de6d4a

SHA512
a57b7a947f90deb7dc31fa3303947aea7abc491e67ae732a352e6e8bba6ba38a9c7d406a421aec1772fd316effa4e018f882137851fac5c2ed46b04aef2adb4c

Download Submit
C:\Windows\SysWOW64\unjb.bat

Filesize
126B

MD5
da41f6879e0afb23a8b309de63cc6ef1

SHA1
bd95cbb615ced4e173bcc026c2523f05513beb45

SHA256
1d32609e0a55415bb5358e211895f9f3adb9d72f647515754126afccecfe4293

SHA512
c3122463a8b983521f72c45bc2c1238e49b1408df2abf6f005d5f2b3233656da153c0ee0808ff439e9f3242111547a19f5a9b8853f08067ffe28054e2caae370

Download Submit
C:\Windows\SysWOW64\vhcthhm.bat

Filesize
129B

MD5
0212b7950853896b931243fce8dd8572

SHA1
1588c1ef8fbbd481788317930ee01ecaf266ebc4

SHA256
f4bc9b5af591c377dd269db066eba4f3a51736fb3225a817e4cdf2a9075e09a8

SHA512
34e92d249408ab8c5e8dc3e71fd9396df21f157be681b82da9c100fba59f1e66725edc346bc6def6c29a9afc05a28327f8896b737bd0ed048b0f5fe4948a2ecf

Download Submit
C:\Windows\SysWOW64\yrqmprim.bat

Filesize
124B

MD5
3a23784d08beee88790bd84069443192

SHA1
0103b36223d9d968e084ece5f9da2b2ecf6a77f9

SHA256
cce3da12657d8491bc1073825cb802fe5bdc69b20fc9667b5d781957683d1c3c

SHA512
0cfd228194ae843de03878e6c5f283f750f74d6e6e8ff2634591ee080b3e8bb860e81a124b916e7c92f35bcba6cb5a9767a5c56ff36a9198567f1402929d4327

Download Submit
\Windows\SysWOW64\winamp.exe

Filesize
58KB

MD5
2794bd460590f04fa6fb860d58101210

SHA1
ccd2606d3af2120344bf67a26c80c16519dfa6c2

SHA256
e3a6cf97fd5df7d58c7a9b5f446ce73827c32574dde045e6937854398b74ee7e

SHA512
ff5b0cbb754f3535e81b1fb93d2184a4a673ccc8c5c874df412222e6d28529a3814851d69ab227023d11b63773973c6e80f365289f85190f89954e1161afc79d

Download Submit
memory/1072-148-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1072-126-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1996-124-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1996-102-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2836-97-0x0000000002A70000-0x0000000002AA0000-memory.dmp

Filesize
192KB

Download
memory/2836-98-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2836-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2960-2-0x0000000000421000-0x0000000000430000-memory.dmp

Filesize
60KB

Download
memory/2960-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2960-17-0x0000000002820000-0x0000000002850000-memory.dmp

Filesize
192KB

Download
memory/2960-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2960-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3032-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3032-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download