e2afbf50c14180590240e52e62d2a7f0ecdb223dd50fd9fc6533d7cb9e599769

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
Size

496KB
MD5

36b40cda8a0e5b0901ab9d3456d15a05
SHA1

a9c3fa8e5f06dc640c78043ecc116d233c52995e
SHA256

e2afbf50c14180590240e52e62d2a7f0ecdb223dd50fd9fc6533d7cb9e599769
SHA512

cbb79368f1eb2406196e3aefda52010f9c93f5744e1da4b7e0cd5a828539210b726e12fe870ce9101c3d70a73a8c075da954ce98e8e92c907fb6d0c1944092c5
SSDEEP

12288:5N65hzpN4m0d5fgJoEU2d2A8hmcJ0OLFkLxnCFbaR:M36fdBgJJU2QAcJ0sk9CK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	directx.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	directx.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DXMain\hDirectX.dll	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DXMain\kDirectX.dll	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DXMain\directx.exe	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DXMain\directx.exe	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 2360	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	directx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	directx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe
2656	directx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2360	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2360	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2360	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2360	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2360	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2360	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2656	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2656	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2656	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2656	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	32
PID 2268 wrote to memory of 1196	2268	36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe	21
PID 2656 wrote to memory of 1196	2656	directx.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\DXMain\directx.exe
    "C:\Windows\system32\DXMain\directx.exe" "C:\Users\Admin\AppData\Local\Temp\36b40cda8a0e5b0901ab9d3456d15a05_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\DXMain\directx.exe

Filesize
396KB

MD5
065b2347f75f4abd9cc81185723dac05

SHA1
071ade29973406458fd3c82fa98959c882b75397

SHA256
43dad36622ce93cbc55e521d9e8207a84708d7054b6f02fe3d31636a4bb1d4af

SHA512
fdbcc114c010a68436afd183304169754720fcad7d985e36b1a5dff41d70e9b23768ba991b14ea50f2c48620a13744647cf5b2d289a86f5520db52b08642e5af

Download Submit
memory/1196-19-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2268-18-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2268-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2268-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2360-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2656-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-36-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-31-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-32-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-33-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-38-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-40-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-42-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2656-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download