602dc66f381c6fdd82f1222f981e8cb369971173d53554054fb038c6ae367858

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 07:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe
Size

142KB
MD5

2d2aedd4ed91435f94ead42921dd93f7
SHA1

24e8981bd36da3b4e23e936626d6d60f0058af5d
SHA256

602dc66f381c6fdd82f1222f981e8cb369971173d53554054fb038c6ae367858
SHA512

0ce8cdafdfa65a17e625c83775c1415581561ae9552c88d69e64964179f7d97390d2c67ac0036932976c9b8f34a8921f0e598c7673292ba43da05b9866bf7330
SSDEEP

3072:iBAp5XhKpN4eOyVTGfhEClj8jTk+0hwdGS:xbXE9OiTGfhEClq9Bf

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2172	WScript.exe
7	2172	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\insta2\insta1\data.txt	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\insta2\insta1\volgogran1.bat	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\insta2\insta1\nuninu.vbs	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2572	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2572	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2572	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2572	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2172	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	32
PID 2900 wrote to memory of 2172	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	32
PID 2900 wrote to memory of 2172	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	32
PID 2900 wrote to memory of 2172	2900	2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d2aedd4ed91435f94ead42921dd93f7_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\insta2\insta1\volgogran1.bat" "
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\insta2\insta1\nuninu.vbs"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\insta2\insta1\data.txt

Filesize
3B

MD5
07e1cd7dca89a1678042477183b7ac3f

SHA1
a2e33d344f272e100d4a8efeabc7ae8a60a8ba7a

SHA256
3038bfb575bee6a0e61945eff8784835bb2c720634e42734678c083994b7f018

SHA512
6f3c7437e476e2e6ef2659d202b878aefd93370f6fd9f5a22cc7978d7fa1acafbda3c10b5fffd798ccbb502468353dc8740902e436645491fe7ce564b091b8a3

Download Submit
C:\Program Files (x86)\insta2\insta1\nuninu.vbs

Filesize
1004B

MD5
f0bbdadee956efb793835156a7a274f2

SHA1
cfada6617f23cb80e5d762380e5c15e6466a1110

SHA256
6f0ccb2a60528af2939b1454eeb62814be4ed622bb34dd0edccf2fa19deaeb77

SHA512
aeadd5138ca97945e7d72df85983b82db391ca82e7c729d938d3039210b251a010a9812d53105a7fef158da9ffa48eb7c2ead74b7d2a57003749153d54bb92c1

Download Submit
C:\Program Files (x86)\insta2\insta1\volgogran1.bat

Filesize
1KB

MD5
8ef2df08a6298d732794719ae4c0c692

SHA1
282a11eeda2ed5c30e2758af0c8b88e5408173f0

SHA256
bae40d3130e0eb24c6351daf3fb7af182f1f9c44f8c5b54367646e590f84d9e4

SHA512
16ae501118906b49a1e7bb37fc458acc437fdd0eb49c2a12e1857b7d0d1f250a2c0313949861ba600bc8a286af00c7e92d5b2e81f35fb7c18d9f2b548c8c9979

Download Submit
memory/2900-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download