a0a779d7df80129e88610f3b3966a2de852c6bd051c8d8ba45a0c61cd596bc5a

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe
Size

228KB
MD5

3aa63e965c6ad051ba37e152fc2d0e0c
SHA1

7524f9e1de6f2f1716654477313ec81621e499ea
SHA256

a0a779d7df80129e88610f3b3966a2de852c6bd051c8d8ba45a0c61cd596bc5a
SHA512

fad2de5778d729c7c9ad2223172d5346127429e3494632825a1e18ddc5531c90faad32a7244cc3273762427adbf3394c1f0edc21f6451b79392665e85c8472a6
SSDEEP

6144:t5x1dG3SuVUf3wB0Xslof8UAzi3LX2u7yDcN+A:XxzTuVgABpUAzKX2UGM

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2260	Mzaxia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\W1WIWQ1NPG = "C:\\Windows\\Mzaxia.exe"	Mzaxia.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Mzaxia.exe	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe
File opened for modification	C:\Windows\Mzaxia.exe	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mzaxia.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	Mzaxia.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\International	Mzaxia.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe
2260	Mzaxia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2260	2380	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2260	2380	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2260	2380	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2260	2380	3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3aa63e965c6ad051ba37e152fc2d0e0c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Mzaxia.exe
  C:\Windows\Mzaxia.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Mzaxia.exe

Filesize
228KB

MD5
3aa63e965c6ad051ba37e152fc2d0e0c

SHA1
7524f9e1de6f2f1716654477313ec81621e499ea

SHA256
a0a779d7df80129e88610f3b3966a2de852c6bd051c8d8ba45a0c61cd596bc5a

SHA512
fad2de5778d729c7c9ad2223172d5346127429e3494632825a1e18ddc5531c90faad32a7244cc3273762427adbf3394c1f0edc21f6451b79392665e85c8472a6

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
372B

MD5
2d323b5bb00f5b014e45b3053f03821a

SHA1
a4ae04bb15e15698bf9d13584bff194fd59142ba

SHA256
ffbfce3c1ce6c4d78a1ceaae90f33f5615b3e14e706d47f14fb371793fc19465

SHA512
fb57769c91a7202d4babb1cc42b5f80b503f7ef9d97cc0e19e5a13faee35d623d9fcb88b04aecf2cf6367a598078db72d2c97ea0a3812a9e3d20561679d1659c

Download Submit
memory/2260-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-47291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-47299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-47298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-47294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-47292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-47289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-47288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-47287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-0-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download