19ab8433a03a439a320cf7a7eab55a8fd80e5afe41ec4c9c5ca6603bd19af8a0

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
Size

76KB
MD5

2bc5f514f5d7efbcd719c99eb5832c4f
SHA1

0062ec9063ba8ab76b53da60b83e85866b5ddd39
SHA256

19ab8433a03a439a320cf7a7eab55a8fd80e5afe41ec4c9c5ca6603bd19af8a0
SHA512

c2a9c33c10bc0796d5281b69c8e7c413e7d2628ec40afebee438876b561878aecdd37a37068ab0974a96dc65eb008d88d097bed12bcf91183380fe8f9633f6e7
SSDEEP

768:cQ6VvM1MMnY+1j4I4SccFhqmvdgxXGcZDxc7mdKnI/:cmnV1U2c+qHhPZDW

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	Admin.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
2160	Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2160	2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2160	2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2160	2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2160	2548	2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bc5f514f5d7efbcd719c99eb5832c4f_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Admin.exe

Filesize
76KB

MD5
3857999fb2d22f74742f5d375e4acce5

SHA1
4145467b4eb16223a1f4fc3583a98c93bc6cfcd9

SHA256
446c2c4956b26e074f8ce1d674b0fd7586b10b870a7a57cc219207c859c91a1e

SHA512
d3419702d43628bd56895c65be715b3ddf7298c6aefa94540c06f92e3db70d5f58c1b0575cf08c2934a85454251c8026017b8354533a2a7c7439fadfe42fad52

Download Submit