d7a56cca4917e21f9eac6e5b95f69be0e515b222adf38b443c4c1abbefeb4779

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe
Size

1.3MB
MD5

4307e445e5dd7a3b8480b64bf57ab45a
SHA1

3ced041cdfcfa087ed1b8850ac46b3d60ab4b4e6
SHA256

d7a56cca4917e21f9eac6e5b95f69be0e515b222adf38b443c4c1abbefeb4779
SHA512

04bc26c53dfb6529d5c651fe1e5954b97e5f8449f570442a8dd3eb1b9f2c5f269db5f9a19d4ccfdcba3810b9e92ba071ab02d2279606f28a6c88988dbdc2da4c
SSDEEP

24576:ezbBc+A5PEAJEiC49X6kA3z0cwsAx66BBO30f+aXccs6jDjk/z/+q:e0TCjiM5wdo6BBO3BaXZhjDjkjh

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2068	install.exe
2412	isass.exe

Loads dropped DLL 10 IoCs

pid	Process
2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe
2068	install.exe
2068	install.exe
2068	install.exe
2068	install.exe
2068	install.exe
2412	isass.exe
2412	isass.exe
2412	isass.exe
2412	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2968	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2068	install.exe
2068	install.exe
2068	install.exe
2068	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2412	isass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	isass.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2068	2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2068	2556	4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2412	2068	install.exe	31
PID 2068 wrote to memory of 2412	2068	install.exe	31
PID 2068 wrote to memory of 2412	2068	install.exe	31
PID 2068 wrote to memory of 2412	2068	install.exe	31
PID 2068 wrote to memory of 2412	2068	install.exe	31
PID 2068 wrote to memory of 2412	2068	install.exe	31
PID 2068 wrote to memory of 2412	2068	install.exe	31
PID 2412 wrote to memory of 2864	2412	isass.exe	32
PID 2412 wrote to memory of 2864	2412	isass.exe	32
PID 2412 wrote to memory of 2864	2412	isass.exe	32
PID 2412 wrote to memory of 2864	2412	isass.exe	32
PID 2412 wrote to memory of 2864	2412	isass.exe	32
PID 2412 wrote to memory of 2864	2412	isass.exe	32
PID 2412 wrote to memory of 2864	2412	isass.exe	32
PID 2864 wrote to memory of 2720	2864	cmd.exe	34
PID 2864 wrote to memory of 2720	2864	cmd.exe	34
PID 2864 wrote to memory of 2720	2864	cmd.exe	34
PID 2864 wrote to memory of 2720	2864	cmd.exe	34
PID 2864 wrote to memory of 2720	2864	cmd.exe	34
PID 2864 wrote to memory of 2720	2864	cmd.exe	34
PID 2864 wrote to memory of 2720	2864	cmd.exe	34
PID 2720 wrote to memory of 2968	2720	cmd.exe	35
PID 2720 wrote to memory of 2968	2720	cmd.exe	35
PID 2720 wrote to memory of 2968	2720	cmd.exe	35
PID 2720 wrote to memory of 2968	2720	cmd.exe	35
PID 2720 wrote to memory of 2968	2720	cmd.exe	35
PID 2720 wrote to memory of 2968	2720	cmd.exe	35
PID 2720 wrote to memory of 2968	2720	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4307e445e5dd7a3b8480b64bf57ab45a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c setup.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
216KB

MD5
c9e7bf0068bf9d191ff0f45ccaf65f99

SHA1
40d9f5ee5814ccde7a460d188fa3609ff613c14c

SHA256
8adb4f985d7ff250c803d537c4ab1b8e76259aba6db41b27c327f0bb64fa63f0

SHA512
802bccbbfcc7c5c882ed3273b5fdde2b2a3963775e1d705cd410d0d32dae63f9a303cf307c36fa532c7956ae2abb800bd5a4b6208fcd36bc89ce1475e35ee640

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
944KB

MD5
1b139bd50d8deea7b3d3bcd21a34cb28

SHA1
551faf81b7815549935ca0eb9b3aad1b1c6a527e

SHA256
ddcc00896a7203a33e3c091de6eb63cbf03a24e085cf6e913ae6bada42accf20

SHA512
2dcaa1e6a60fc7720a0e8746a864d529af2e398041e506dfec81dca988ae7031276b20dbe57784ffac04709a3aecbc432bb5a149a5bc5e522dab7b07ae1247ec

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
520KB

MD5
f5a27157301659b614612fa2e15e0e0d

SHA1
caea9aa24360e0d0720a72a68421ec29af9caa22

SHA256
08b269771a6c963927b7e1162233be12a97217c550c17344647a0dd821ecf6c4

SHA512
c69a6ee08443ccb147c9c314f843f18153fa92f251637c3f2edfeb2376fe7df59397712a19730fd91c54b897db25814e736f5ea0b508d9f79019b9c98f9771b5

Download Submit
memory/2068-36-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2412-28-0x00000000007E0000-0x000000000081C000-memory.dmp

Filesize
240KB

Download
memory/2412-38-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2412-39-0x00000000007E0000-0x000000000081C000-memory.dmp

Filesize
240KB

Download
memory/2556-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2556-7-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download