edb49ead0fba64c9c35b15c7b42f8fd5856fde4d89a5eeeef529f06c23521f3f

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
Size

335KB
MD5

544d2a3215835faca58328ba66bdb14d
SHA1

7041a02c12b5f633a325fce1d3aeab7b56dfe654
SHA256

edb49ead0fba64c9c35b15c7b42f8fd5856fde4d89a5eeeef529f06c23521f3f
SHA512

62accdf6684a54eab333ea61df36ccf7fe98539702d78aff712a63f822163316c2e1ba5b7372065e17681ce5eaf50915c6c47f3f525edb5084dc2a069292087b
SSDEEP

6144:DqhI966AGkAjOpoaY7pGjKa7nuuMdERxSjRSAo2PO4N2Dk:D2q6xGJOpqpaL86ORST4X2w

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\grmynj.sys	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSMedia\Parameters\ServiceDll = "%SystemRoot%\\System32\\grmynj.dll"	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET002\services\MSMedia\Parameters\ServiceDll = "%SystemRoot%\\System32\\grmynj.dll"	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET003\Services\MSMedia\Parameters\ServiceDll = "%SystemRoot%\\System32\\grmynj.dll"	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2720	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
2720	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\grmynj.dll	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\0004fe30.inf	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe

C:\Users\Admin\AppData\Local\Temp\544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\544d2a3215835faca58328ba66bdb14d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2536

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k MSMedia
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\grmynj.dll

Filesize
69KB

MD5
1caf6a6748394fcd28a9db7429169a1c

SHA1
4f15a30ff22fd6acce7d3ec45723b0f0c2c7379a

SHA256
291cac5f006319a3e07ade259802904bb33e681901da9fb3ee6ff5ea4cce51c8

SHA512
f1cfa5ba9baf270f1d75cc371d7830d605430960ab36add7ec9b2e71629d54132c8fe8dac409b9e1842e6192b1bd72a70a325c8c3e645b7ee1980f739d8e1acb

Download Submit
memory/2536-33-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2536-16-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-8-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2536-7-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2536-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2536-5-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2536-34-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2536-3-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2536-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2536-13-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-12-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-11-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-10-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2536-21-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2536-38-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2536-37-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/2536-36-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/2536-31-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2536-4-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2536-9-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-35-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/2536-30-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2536-29-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2536-28-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2536-27-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2536-26-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2536-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2536-24-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2536-23-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2536-22-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2536-20-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2536-19-0x0000000003000000-0x0000000003002000-memory.dmp

Filesize
8KB

Download
memory/2536-18-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-17-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2536-15-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-14-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x0000000000320000-0x000000000037A000-memory.dmp

Filesize
360KB

Download
memory/2536-45-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2536-46-0x0000000000320000-0x000000000037A000-memory.dmp

Filesize
360KB

Download