d2b6ee82df435d2f956c97e7b0d65d43f789ec0214ad357581a246ec953ff8da

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe
Size

280KB
MD5

2fb1acd22aeab531557d8c830a8e39de
SHA1

76ccd7c05418e8b00e69a8974cbda9160a78e440
SHA256

d2b6ee82df435d2f956c97e7b0d65d43f789ec0214ad357581a246ec953ff8da
SHA512

61a5b9182b09f563f78051396e564273191ed0cd547919b0b3d7e0a223827658bac4fec3a191ea2e496e43a5c30f7e1433135df7b1e2dee8f5a0cbc0cf82cb3d
SSDEEP

3072:Yej8cRQ/ro3Fs5Uij0/5PTbI0l7BRATIsaBPiG7c0EylSDBNYTsuZfj:Yej8+Q57j65PTL77wGBr8DTYwuZb

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1036	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	rfqbal.exe

Loads dropped DLL 2 IoCs

pid	Process
1036	cmd.exe
1036	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfqbal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2140	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2140	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1036	2060	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1036	2060	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1036	2060	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1036	2060	2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe	31
PID 1036 wrote to memory of 2816	1036	cmd.exe	33
PID 1036 wrote to memory of 2816	1036	cmd.exe	33
PID 1036 wrote to memory of 2816	1036	cmd.exe	33
PID 1036 wrote to memory of 2816	1036	cmd.exe	33
PID 1036 wrote to memory of 2140	1036	cmd.exe	34
PID 1036 wrote to memory of 2140	1036	cmd.exe	34
PID 1036 wrote to memory of 2140	1036	cmd.exe	34
PID 1036 wrote to memory of 2140	1036	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fb1acd22aeab531557d8c830a8e39de_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\epfueds.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\rfqbal.exe
    "C:\Users\Admin\AppData\Local\Temp\rfqbal.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\epfueds.bat

Filesize
124B

MD5
2efa7f0276c9a6d8e392d1c12b41f9b7

SHA1
80dd5f74d34a608a54d33e962748b57127aa63bf

SHA256
39da8ffa5db9caa543fadafc068edfe7ecc739fe7074e8c2ca266f5ed2d44359

SHA512
999e08cad8bde6489bd27fa9d68e836d9f59dad45abcfb2e7593ce7d98ca5b128a975707f4525c31f555728464e033d75fa2af4f6328d0e540c52a376644a3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtwsxp.bat

Filesize
170B

MD5
b0505740fccb837d183178342815f321

SHA1
f98e059e4822f2c41a9fb20807da4adf21c4b923

SHA256
78ee9ae8925d304e8f2549158643e382112c7e923b161f409395cf96c2c9dc10

SHA512
a2653f2423156d7966dfe87e9c902aa1f1a9e4fed3f3057fd52cc8f02853d06b04f34785dd7ee9ea5efdd1352b006a7c83583c7f02a26c3bed7cd37abed3f011

Download Submit
\Users\Admin\AppData\Local\Temp\rfqbal.exe

Filesize
180KB

MD5
7173319ed870b37438a5b89a3547765b

SHA1
bcd63ec1e34499e0d5d3658df9d30eae37d1c07d

SHA256
3f4f445e19bd7d72a6e42db3d816d5675530b3bd5f0ff8b66704f62fb9162718

SHA512
3325c907fc3702d220f64db9eecd7e988afbf83dc6f1257f9bdda73358a813bbebb9a267bcfc03687b950447b8b159bb904ce9052c1a5fe4625925dc064797af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads