c553b1c33189e98c02c5d170074269138f6d9e6f922d23ce4f37dd7adf143cba

Analysis

max time kernel
3s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe
Size

16KB
MD5

2911a0b22b3c104013caa93c79339bb5
SHA1

cc2ca17f6f694c914cefa1b0be9c4425c142ebec
SHA256

c553b1c33189e98c02c5d170074269138f6d9e6f922d23ce4f37dd7adf143cba
SHA512

cbc98bf4bd8d522eed95500d3da0d09f0d9ec70b891690d8d3ef496acc1094de7977b02605bba2924bf4aecf1c8ffdad25d4b68ea46fa19aec5d3a09177fe4f8
SSDEEP

384:+qIxoxSu8JW5VMazYmUhP45UqnmpblQmuFrI33w:+qEMSu8gRCMmcmuW3w

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
796	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fmsbbqi = "C:\\Windows\\fmsbbqi.exe"	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fmsbbqi.dll	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fmsbbqi.exe	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe
File opened for modification	C:\Windows\fmsbbqi.exe	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
796	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe
796	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
796	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 3540	796	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe	56
PID 796 wrote to memory of 3540	796	2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2911a0b22b3c104013caa93c79339bb5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:796

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5092

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fmsbbqi.dll

Filesize
28KB

MD5
9e83955ed5f597d9b3b1bb0fa9b6ddce

SHA1
d6a4464cc372c9190f49e6f34f0ce66e4a1691eb

SHA256
3bc9b0ada2f09cd118838979f2a98857296143c6eec117245630361ccb96bffe

SHA512
04bf4bfb0cc38c3183d4c2abbffbd427bd77403009c742cb84368c965000336208273f2b447e7f732d7295f5675c37b9319094266337c0bc4c6eb8d428d0e21e

Download Submit
memory/796-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/796-7-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/796-8-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download