eac2417aa792d3080f2b00378731765ed8ab7f77beac0f052af99b653c0575b0

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe
Size

16KB
MD5

5231e860246a78dde533c6abeb8ebb04
SHA1

d8fb42882ecf3780c22bef74ab53729a2b33c31f
SHA256

eac2417aa792d3080f2b00378731765ed8ab7f77beac0f052af99b653c0575b0
SHA512

bf753361c6bdabd658a0911b51158f17ebb551db37ca48c843332504284122e0ade8850ee70e5be33c65266830860cc5cff1a2d0b28695401548b78b9681684c
SSDEEP

192:CvTl1Bva5ySFagL/nKBPhISG62pW/rJRgRBtD/rVND3koxYceh4ZDow:ShOySFagjSK962pGNRgrtD/9ecn

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5231e860246a78dde533c6abeb8ebb04_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~!#22E9.tmp

Filesize
4KB

MD5
34392dab3badf1aa9d8e5c7a54ca7465

SHA1
4ff83fb0e1bc3804a3890a8ef07aa8fec8597a4c

SHA256
096b24f6600695536ad002b3b4484ef64eb37632325fb657dad48dd79dce57d8

SHA512
63b3fb49a719933097c9d8420f12ddec5c07a3636a262c6ba7b787bf54933557d0091617d3bf561ddd7b23dfc21efe77351b728993c20278c77d338f055db94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#24D3.tmp

Filesize
9KB

MD5
2996aac3e0bce3d6667335edbeb2dae4

SHA1
04a996844f99eb568450c36c819696e5e505d0ec

SHA256
164a0c7b19d7e275fa3a1e092a697ed4643f099bba85f37f9efc28fbfb557b7a

SHA512
b8dfea72836d3ea1e2b65d780ad780e944e29835a0dce4ad299091d2132565e938b4003e4f0ce7bda29c6a44fa0ddee97ada8cbcfa6b72e46fddbddb2af6d6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#261E.tmp

Filesize
4KB

MD5
f6cf7394802b5ef61f0edf4b9eaacba3

SHA1
cf23b1601cae146c94aab4fed4e3cab5cf2eee4e

SHA256
b20b5f4f74ec6680f186ec0a107dc33f0243dd2fccfb8bc76b9e5858d67970a5

SHA512
50f5d498f49b1951b14273e13baaa4949166bafa9910be8fbcdd2f602469bbffd3dc7a6a63996c1c06ede5a0ce4c1419636149e1e3d7766d71c18b239dc8f92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#275A.tmp

Filesize
13KB

MD5
9327eed19825c225915a5b4f5a8cc3dc

SHA1
326437d7c4f8af88781b1567f1887b283e497e39

SHA256
bb9da07af7fb562be9fb85b0052b0dc37f9bd431c7fd6e643d937221dd4822c3

SHA512
98fba3992c12599a591f0f26830b46e5a8b90cae1430cf6bea23ce560c053789edb99b85b57e3bcabec9c980e01af3cce87b9f5f1c9c8f752b1a097874081251

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#2EA1.tmp

Filesize
4KB

MD5
579605bbe048c7b386c1b19c7f1111fd

SHA1
d0b046151ded348f0044a8ce907e341cc7a009e5

SHA256
21b7918a439cb00a45f7ad78b541e0aeb4b43d95231f6c9fa38e10e315d68144

SHA512
8bfb57a9c5daef884ef4c8848b6419802d0325fc934297a32f06073c7f24b38d0b281385779f8949b61530ba0e3ce1ef73bd811249f0c4853863627150d5aea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#3FD6.tmp

Filesize
6KB

MD5
703c047b95b21a6f1edbbd0762f7410b

SHA1
d386fa4e62afa8997553bed13ee6a438d6dc0126

SHA256
63f5f26f899256a9350336c3a2791f07ef1eb97b0f41bc877bda2186ce1306b0

SHA512
f516454fe176f7394e9730f142da1f3cdde7732dc34873f1d30ab428f8e6be46f9250f7a15b3c94ca07c7afafb3f46783e54d6dfad2dd30bafb1d36ed0a1902e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#41FF.tmp

Filesize
9KB

MD5
4da64a276b11b81fd1d7c362ef3b6ca3

SHA1
4344442360dac845a8eb36f234fe1a4a6593a278

SHA256
20d02dc0efcece138b7ddcd4f3f01923ca108fde4519c0eb5bc9a19ec11aff44

SHA512
04d6c180b73862cca735931354b250ad5edf1fca36e1cb71a915dcfd77ae27151c098b3b5890e1391dde573c680639217c8d906aee1a71e69b64e2f7c404f4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#425E.tmp

Filesize
14KB

MD5
77a6f3a3de791761f4c8861388a73898

SHA1
3dbcbe6e29baa5adb4d0b747644f85880a8ff913

SHA256
c68b4908ae25d7197b8068c91e589349e5ac99fbea4650bcf5ca3381817c8231

SHA512
67e7400a9e2e8e96d692890a1a3d1416dd34aac1e505b62a489f6c5b6d78d7839ccf8b4e57d0552b0afc78f4cea4a243873708fc179ffb4fc53c83862b04a5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#430C.tmp

Filesize
13KB

MD5
dd37f0185f1ceb7fdfa118faf448e17c

SHA1
a139db4224559502495e9421b49b1efef499d6a0

SHA256
247608c80eb063ff403ddfba57cd739aceda72ea8874591f36077480fe802ecb

SHA512
1550c6b88eaa31b9f058f09819f5cdb26a9832c63a9592bd610a633671ad1d830138721c04823d16b4c46bed686174d7829df96ad6ba89d20fd14ce42f6208d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#4612.tmp

Filesize
13KB

MD5
70c7be5b8b96458546224a6c6b7b20a2

SHA1
464c60f4d62a309729d19fac68556d8a9768ddf1

SHA256
d8031d4b4ded9c20eb41d13faed4229bf245b5de1f3ec62c3a0bbd36f2fd4ad5

SHA512
f7540f1698684f9a2db1c3b1454b682d01fed3752245a614be79c0f7bc692a70fe8c1f0e5adf3a8c3191cd819ef17652ab70d98f662f9623fba2bc18204a1b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#470F.tmp

Filesize
4KB

MD5
be93879e644a1644e72291e61084852b

SHA1
f7349964eba5b2a5e64f265724e673c97f230cc8

SHA256
ece3daa94921834cde2e1a5f9bf4ed17f3cd5b6da43c2c79ba60230d32ea1fbe

SHA512
5dd81642b7ecda56e8c5604b4b048fdfa8b068c9d92f0e6dd6f409cc074a1f0a05e7af0dd785069d3bad44fe1a830bee762843f8a55323bec98b1240d352ddec

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#47BC.tmp

Filesize
4KB

MD5
f887ad830ae23aa49e58deaffd00b784

SHA1
33b9a142a66440f3f031ad204e3497ee8702d1a0

SHA256
bc0be93a80e956ac273987158e683ff81466677b0e0cbe459c0b72aada2d3c78

SHA512
1b70c91b4775a0f959b2f87973be5fda33b889f1d2d7b359d72af0617a6df488507e5cebf270dbd66993ea2438d1cf1345f3e3eebc8be4bc13fec50d6f55dc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\~!#48B9.tmp

Filesize
5KB

MD5
9d16d3e1d3d88127c5a08967d2de7b6b

SHA1
572d7cc5e4838e5a2c6bb7fe41b7c1780cdd05c8

SHA256
cadde548fe1f4481ac8fc699bcc62e7afbd72555e69c9a4460f620dc09de03a5

SHA512
fd61979f2267a2ec0ef76d764438336b93121749b188ff227ac6f6f43dcc8f2799071683df10f993e805d66893527dbc7d753dc5306cdc7efc78f45fe1b7ecf2

Download Submit
memory/2380-51-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2380-0-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download