e6f28175ba508818aac93c59b56a932623b289d3ef4de600d048829b0a7fa04a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe
Size

97KB
MD5

374233e7322071a22486cdbaffbcb6d4
SHA1

a09dad6765cfbe0021ba3a1f040431be6f02d214
SHA256

e6f28175ba508818aac93c59b56a932623b289d3ef4de600d048829b0a7fa04a
SHA512

e41d134e6a6c8ab7775ca7d9c219952cf5ab0d29aebc6278009d08474a01a67795079f1528085455625be881a46b6def7fa16e1937188243b10158424f4f6a25
SSDEEP

3072:6Sq579Zdq8ohVr4KVSgyL2bkf7Nf5MBzLVpagMR3H40BHHw+ZH/CzVvqhLxYF:3fT7HYMBzLVpagMR3H40BHHw+ZH/8Vvv

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2808	winamp.exe
292	algs.exe
2092	csrs.exe
1228	lssas.exe

Loads dropped DLL 8 IoCs

pid	Process
2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe
2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe
2808	winamp.exe
2808	winamp.exe
292	algs.exe
292	algs.exe
2092	csrs.exe
2092	csrs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\lssas.exe"	lssas.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qwukzak.bat	csrs.exe
File created	C:\Windows\SysWOW64\lssas.exe	lssas.exe
File created	C:\Windows\SysWOW64\winamp.exe	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\owtjvm.bat	winamp.exe
File created	C:\Windows\SysWOW64\csrs.exe	algs.exe
File created	C:\Windows\SysWOW64\wdmmjqy.bat	algs.exe
File opened for modification	C:\Windows\SysWOW64\lssas.exe	csrs.exe
File created	C:\Windows\SysWOW64\algs.exe	winamp.exe
File opened for modification	C:\Windows\SysWOW64\algs.exe	winamp.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	algs.exe
File created	C:\Windows\SysWOW64\lssas.exe	csrs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winamp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lssas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	algs.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2816	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2816	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2816	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2816	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2808	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2808	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2808	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2808	2276	374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe	32
PID 2808 wrote to memory of 2604	2808	winamp.exe	33
PID 2808 wrote to memory of 2604	2808	winamp.exe	33
PID 2808 wrote to memory of 2604	2808	winamp.exe	33
PID 2808 wrote to memory of 2604	2808	winamp.exe	33
PID 2808 wrote to memory of 292	2808	winamp.exe	35
PID 2808 wrote to memory of 292	2808	winamp.exe	35
PID 2808 wrote to memory of 292	2808	winamp.exe	35
PID 2808 wrote to memory of 292	2808	winamp.exe	35
PID 292 wrote to memory of 2244	292	algs.exe	36
PID 292 wrote to memory of 2244	292	algs.exe	36
PID 292 wrote to memory of 2244	292	algs.exe	36
PID 292 wrote to memory of 2244	292	algs.exe	36
PID 292 wrote to memory of 2092	292	algs.exe	38
PID 292 wrote to memory of 2092	292	algs.exe	38
PID 292 wrote to memory of 2092	292	algs.exe	38
PID 292 wrote to memory of 2092	292	algs.exe	38
PID 2092 wrote to memory of 1704	2092	csrs.exe	39
PID 2092 wrote to memory of 1704	2092	csrs.exe	39
PID 2092 wrote to memory of 1704	2092	csrs.exe	39
PID 2092 wrote to memory of 1704	2092	csrs.exe	39
PID 2092 wrote to memory of 1228	2092	csrs.exe	41
PID 2092 wrote to memory of 1228	2092	csrs.exe	41
PID 2092 wrote to memory of 1228	2092	csrs.exe	41
PID 2092 wrote to memory of 1228	2092	csrs.exe	41

C:\Users\Admin\AppData\Local\Temp\374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\374233e7322071a22486cdbaffbcb6d4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\dlcplmo.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\SysWOW64\winamp.exe
  C:\Windows\system32\winamp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\owtjvm.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\algs.exe
    C:\Windows\system32\algs.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\wdmmjqy.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
  - - C:\Windows\SysWOW64\csrs.exe
      C:\Windows\system32\csrs.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\SysWOW64\qwukzak.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
    - - C:\Windows\SysWOW64\lssas.exe
        
        C:\Windows\system32\lssas.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dlcplmo.bat

Filesize
243B

MD5
021796d58c92d2ccdf1393f948ac0449

SHA1
f776ae49f3a8906b61ee40f2a2be41cb439f0c9b

SHA256
2be98c4cca07ef1845e11cfaf6fdac498ea95c655de86e590ddaa2ee679df9d0

SHA512
c4f222b6e15b74930d271f357bd1c2841d12bd8f52ef231bb4cd55ffe1f45de6b2155ff943b7fb82b32eb991aefa23ee208772a05aa5293f27605a76e06596d6

Download Submit
C:\Windows\SysWOW64\owtjvm.bat

Filesize
122B

MD5
76875d8604accdcc8a0d0490ace2ea93

SHA1
69354364cdb904e7c7a10c577df484d5f49713d6

SHA256
4aaed41dfbb158913412542873cd8af1a32648731e89fdf9420b49221216bc2c

SHA512
d59ee287b2fb9dfdb50538cd15d0e6ad105b288f7d1a4d5a7bc6ccd7ef1b6bfe1a8cdf3b7f0881d5db4ec46bbde72cba66ee6b626dd4faa7ffe24f8b61eaee7b

Download Submit
C:\Windows\SysWOW64\qwukzak.bat

Filesize
117B

MD5
0471e45044ee9be07085491851a19830

SHA1
464c09b3ead13143817229b2e98e4eff74471d07

SHA256
3e9bd03f9c76ae5c5c357c004d0f86f0314c4b238718871782fc904f4ad2aeba

SHA512
07947713f82c1d8e2404153e0b8349aa5763cb6f226b03f7f001353760b5b0e1ecd1d03175f898d1c078a000546d7f6dcdda9f04065e0e40f77b224cf40b0cb3

Download Submit
C:\Windows\SysWOW64\wdmmjqy.bat

Filesize
117B

MD5
f5f39d1e1b4d716a3b7b900387ed7d3e

SHA1
aa0a480694ca6f21b5774d7d83621ad7727c1f5c

SHA256
55a1958a1cabbbe260df485c464d4ef2c8e8f079b69d20d44e138302fc7619ad

SHA512
d36f698f431531c4bd312bb9ff8cb6f739fca9281e61cd884a85449ef64c45bba6a2f268b9b646d5b971df8b0bde23eff4786c7392453d1e817fbe1a5686c30a

Download Submit
C:\Windows\SysWOW64\winamp.exe

Filesize
97KB

MD5
374233e7322071a22486cdbaffbcb6d4

SHA1
a09dad6765cfbe0021ba3a1f040431be6f02d214

SHA256
e6f28175ba508818aac93c59b56a932623b289d3ef4de600d048829b0a7fa04a

SHA512
e41d134e6a6c8ab7775ca7d9c219952cf5ab0d29aebc6278009d08474a01a67795079f1528085455625be881a46b6def7fa16e1937188243b10158424f4f6a25

Download Submit
memory/292-96-0x0000000002F80000-0x00000000034AF000-memory.dmp

Filesize
5.2MB

Download
memory/292-44-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/292-65-0x0000000002F80000-0x00000000034AF000-memory.dmp

Filesize
5.2MB

Download
memory/292-66-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/292-68-0x0000000002F80000-0x00000000034AF000-memory.dmp

Filesize
5.2MB

Download
memory/1228-97-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/1228-92-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/2092-70-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/2092-91-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/2276-0-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/2276-19-0x0000000003510000-0x0000000003A3F000-memory.dmp

Filesize
5.2MB

Download
memory/2276-20-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/2808-93-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download
memory/2808-22-0x0000000000400000-0x000000000092EEA8-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads