c28f3d1a90efb922879780d8a76d531cbfca98dfe7b6adafe7adf08c418df972

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe
Size

1.3MB
MD5

5265c27dea5781da8b32b2c0ffd12ac4
SHA1

8d8fdd56d486ad2573cbd0703f57b56b837a773b
SHA256

c28f3d1a90efb922879780d8a76d531cbfca98dfe7b6adafe7adf08c418df972
SHA512

f348f66c0c95bb242b10d8b45eee6325a19123964e8b0d6b18aa3e0f18527e26c3df21eb8ae8775c6395fe7037f5d61dd51b101b0458ad6a797918a4212bdf84
SSDEEP

24576:OzbBc+A5PEAMC5md2NFZ5DfwK8L3MkvAbIJyFku4Qxz4W74Vot82QpaCiyOXD+lz:O0TP5m8rzYLckobl4W0VKlb5XDez

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	install.exe
2896	isass.exe

Loads dropped DLL 10 IoCs

pid	Process
2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe
2704	install.exe
2704	install.exe
2704	install.exe
2704	install.exe
2704	install.exe
2896	isass.exe
2896	isass.exe
2896	isass.exe
2896	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2560	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	install.exe
2704	install.exe
2704	install.exe
2704	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2896	isass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	isass.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2704	2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2704	2648	5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2896	2704	install.exe	31
PID 2704 wrote to memory of 2896	2704	install.exe	31
PID 2704 wrote to memory of 2896	2704	install.exe	31
PID 2704 wrote to memory of 2896	2704	install.exe	31
PID 2704 wrote to memory of 2896	2704	install.exe	31
PID 2704 wrote to memory of 2896	2704	install.exe	31
PID 2704 wrote to memory of 2896	2704	install.exe	31
PID 2896 wrote to memory of 2720	2896	isass.exe	32
PID 2896 wrote to memory of 2720	2896	isass.exe	32
PID 2896 wrote to memory of 2720	2896	isass.exe	32
PID 2896 wrote to memory of 2720	2896	isass.exe	32
PID 2896 wrote to memory of 2720	2896	isass.exe	32
PID 2896 wrote to memory of 2720	2896	isass.exe	32
PID 2896 wrote to memory of 2720	2896	isass.exe	32
PID 2720 wrote to memory of 1952	2720	cmd.exe	34
PID 2720 wrote to memory of 1952	2720	cmd.exe	34
PID 2720 wrote to memory of 1952	2720	cmd.exe	34
PID 2720 wrote to memory of 1952	2720	cmd.exe	34
PID 2720 wrote to memory of 1952	2720	cmd.exe	34
PID 2720 wrote to memory of 1952	2720	cmd.exe	34
PID 2720 wrote to memory of 1952	2720	cmd.exe	34
PID 1952 wrote to memory of 2560	1952	cmd.exe	35
PID 1952 wrote to memory of 2560	1952	cmd.exe	35
PID 1952 wrote to memory of 2560	1952	cmd.exe	35
PID 1952 wrote to memory of 2560	1952	cmd.exe	35
PID 1952 wrote to memory of 2560	1952	cmd.exe	35
PID 1952 wrote to memory of 2560	1952	cmd.exe	35
PID 1952 wrote to memory of 2560	1952	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5265c27dea5781da8b32b2c0ffd12ac4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c setup.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
520KB

MD5
7df2deea5f5bc324fb11f3d4695d9ff1

SHA1
6fbe7e4df9964146feee0b9b3fb49bb9b59cc0ba

SHA256
6e8ae4b1f8822d5b6fa78972e104a26c2ceed963808bbd7d74e181d47ced986e

SHA512
8af27c727856363a9e41ea09b8c73ccef473447aa6bffa24039dc02f69e233fa0c4d9366bd06adf38a261361afcff13232a9d25a79babda77f3fbc9fa12c5dc3

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
944KB

MD5
63f919bc1a6d84219e32d7c94d9a9bb2

SHA1
f2350da0291adbc377ad2fc78c04875b29c3d0e0

SHA256
d0529129f3646e2c124a2ee94beff0c77f2f8d606bb3942f7e1e1f967c9eb104

SHA512
92edae4ef16c02ef4d7bc2b2d32792d32c8f88c0e93f3adfb4785fa5834f0c1570ddc29ade364fd465e17635449a8e706e147480fe6b6c05ff6a632f841f5d6e

Download Submit
\Users\Admin\AppData\Local\ntldr.dll

Filesize
216KB

MD5
c9e7bf0068bf9d191ff0f45ccaf65f99

SHA1
40d9f5ee5814ccde7a460d188fa3609ff613c14c

SHA256
8adb4f985d7ff250c803d537c4ab1b8e76259aba6db41b27c327f0bb64fa63f0

SHA512
802bccbbfcc7c5c882ed3273b5fdde2b2a3963775e1d705cd410d0d32dae63f9a303cf307c36fa532c7956ae2abb800bd5a4b6208fcd36bc89ce1475e35ee640

Download Submit
memory/2648-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2648-7-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2704-22-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2896-29-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2896-38-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2896-39-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download