8d821786b32b70631fa2186d5fcabe3154f50c38820ea4cdbb5a58c84c042dea

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe
Size

145KB
MD5

3fc78719149e041079fc97804d2733e3
SHA1

343a1999113e150d4abd341a6ed9225676ea34e4
SHA256

8d821786b32b70631fa2186d5fcabe3154f50c38820ea4cdbb5a58c84c042dea
SHA512

5684c112c377b8c29bad870a6f8fb00a9db5bf9ac79a812f01e60aa10f60a83c4b8ce4669f43f01462246eccd35171002bbf9d635d15eaa61c7a836d9257e45c
SSDEEP

3072:2Gu9BlfzWIbXWm+w0J5W5iqTuJNig01WmKnBsB4JlnWEX:2/0uo1EgIWIB4LX

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1780	Mark D3D.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mark D3D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1780	1732	3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1780	1732	3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1780	1732	3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1780	1732	3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fc78719149e041079fc97804d2733e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mark D3D.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mark D3D.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mark D3D.exe

Filesize
200KB

MD5
52b29ef75e5003888ca42282aa76ee0e

SHA1
a7247337038bbce18831fc8bb7310796d666fda5

SHA256
f1a02f88a3f783f7c31136eb077d9331faed0dad1e005d9c99aca8d2cc413736

SHA512
9713d039327b0e2bbe1480a59841229730542dcea4b496cb584c948580c08fe660d641ca25e42da582b974bfa374e6f7f8c6e486f9e8108919c3ee3ab75b3487

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads