1e75eb8b78d2c35d9c89080f60a37a268227939bb8e516833530304e8c57f452

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e775b2d95b5a33348651900ce8f5eb_JaffaCakes118.jad
Size

64KB
MD5

29e775b2d95b5a33348651900ce8f5eb
SHA1

6f7d714c1779367cba1cb64cf8fcff22b0f26f1f
SHA256

1e75eb8b78d2c35d9c89080f60a37a268227939bb8e516833530304e8c57f452
SHA512

2e349d95975ac3a7ee4b94a57ecf19b2a9d4eb20cbd5e0aa8fe7629b8af666e0b16f3a1f44b190b3ee693ca32f63171db8b2be1877474a5c6f28223942cdb430
SSDEEP

1536:exY2pxBWG1vAxhEopE6dld2lpD/u5XBVDwseL5T:cVhYVi3ruJBFwsedT

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	AcroRd32.exe
2784	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2056	264	cmd.exe	32
PID 264 wrote to memory of 2056	264	cmd.exe	32
PID 264 wrote to memory of 2056	264	cmd.exe	32
PID 2056 wrote to memory of 2784	2056	rundll32.exe	33
PID 2056 wrote to memory of 2784	2056	rundll32.exe	33
PID 2056 wrote to memory of 2784	2056	rundll32.exe	33
PID 2056 wrote to memory of 2784	2056	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\29e775b2d95b5a33348651900ce8f5eb_JaffaCakes118.jad
1⤵
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\29e775b2d95b5a33348651900ce8f5eb_JaffaCakes118.jad
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\29e775b2d95b5a33348651900ce8f5eb_JaffaCakes118.jad"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
fbd89f8b66c926cc3d2ada13f56adc42

SHA1
ac7b1b5811af0bb96ea7226e3a9ace357573814e

SHA256
c7010218c62b76eb8778b7840a97ec349349cf45c1164ae4fdc1dba3e48aa589

SHA512
fe66119addfde2a9e8bea04e62c6380e6b4378ef6fcb34288221a239b2cd6284e99538990406a4b414b9a3df687b784c53df8ad607d2b30cd6cfe6eb69dbf334

Download Submit