1553fa71dd8abb1a6c3855f573441d65eade7e10d99b2e48edd5c0d44d17d0f4

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe
Size

93KB
MD5

3a5dbe807893ce190c432591a38b31aa
SHA1

4e706c2b3503fc8ec5e48b4132f3f52200979829
SHA256

1553fa71dd8abb1a6c3855f573441d65eade7e10d99b2e48edd5c0d44d17d0f4
SHA512

951050abbd3e7e2481013d1964114cccfaf622fcec14f8a0f8bf98ace9d286e5e4e9daddc9e29d7372e5ba4ed63fc50b9e2ba2186cd41a54a6948c88303df875
SSDEEP

1536:awiGqmQVoPsfxPl3oYcl/ikt51h9J7HMUF7TGD+0ICJ6I9UmNFnToIf6HTR3K3bf:awAoPwBATl5CJ68U6tTBfoTR30bsmx/1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	NB_Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NB_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3008	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	30
PID 2984 wrote to memory of 3008	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	30
PID 2984 wrote to memory of 3008	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	30
PID 2984 wrote to memory of 3008	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	30
PID 2984 wrote to memory of 3008	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	30
PID 2984 wrote to memory of 3008	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	30
PID 2984 wrote to memory of 3008	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2324	3008	cmd.exe	32
PID 3008 wrote to memory of 2324	3008	cmd.exe	32
PID 3008 wrote to memory of 2324	3008	cmd.exe	32
PID 3008 wrote to memory of 2324	3008	cmd.exe	32
PID 3008 wrote to memory of 2324	3008	cmd.exe	32
PID 3008 wrote to memory of 2324	3008	cmd.exe	32
PID 3008 wrote to memory of 2324	3008	cmd.exe	32
PID 2984 wrote to memory of 2868	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	35
PID 2984 wrote to memory of 2868	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	35
PID 2984 wrote to memory of 2868	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	35
PID 2984 wrote to memory of 2868	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	35
PID 2984 wrote to memory of 2868	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	35
PID 2984 wrote to memory of 2868	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	35
PID 2984 wrote to memory of 2868	2984	3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a5dbe807893ce190c432591a38b31aa_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "c:\NB_Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - \??\c:\NB_Server.exe
    c:\NB_Server.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "c:\ds1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\NB_Server.exe

Filesize
68KB

MD5
d6de8eaaa073bdecbbb020cbfcaf94c6

SHA1
34263ab745b3db97e95edd388f03b316373f206d

SHA256
80dd8260e1776cf4a1f501f23f2ac4bf7a1587e1ac24c654bb8aab2bd0411edd

SHA512
7cf5c37586a6b9ea7c89571c1eb7f32deac08e9ce13e25069c40ea24deb9a8407786a520c06d4ffaa26c5e23fe2a2bab969431b23060882bf24266788597f008

Download Submit
memory/2984-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download