b340b8ea5192145edfbee4b08fca0367531f7755b3356b751ef6c9d938edb4d4

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe
Size

116KB
MD5

55a2ed99ab5f90b3adab07d03cc944d9
SHA1

27ad81e203cc0e5e193331147418b6c17a3e9822
SHA256

b340b8ea5192145edfbee4b08fca0367531f7755b3356b751ef6c9d938edb4d4
SHA512

e43f74d862c3edca7dae15fdabfc7ddbd3a94f9f464e554041fb343094c745f8d182faca3c7d617c55ebd22d1f3b7b4150241e6d732ecf8b37c4781c2965555c
SSDEEP

1536:YGuryWkfL/+EHKwe+nEfJ/8LkDRouai7Of+YkKk7e9AeIuSDKP:YGuOzmEqwhMJ/8LkmuF7q+Yk7jeIuS2P

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1364	2360	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	31
PID 1364 wrote to memory of 1228	1364	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	21
PID 1364 wrote to memory of 1228	1364	55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\55a2ed99ab5f90b3adab07d03cc944d9_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\chdkCJ7dF6.log

Filesize
4KB

MD5
e902586126f6819d70c276951934060e

SHA1
70c5fff85d05ee06f8feb095ff4c2e17c1758ed5

SHA256
8c927fb27e3fad539adead2a6902ba36bc07c4165d3cf8e5a463f805f7c15a2a

SHA512
60b3fbfc4a878dc1fd7bf789e0a6270bfd48ef488109dc27a8d0edefee918a6587915184d70a8776061394cd07aee3aa5343b477b31ac8323809d5bebf5fecec

Download Submit
memory/1228-32-0x0000000002AC0000-0x0000000002ACD000-memory.dmp

Filesize
52KB

Download
memory/1228-31-0x0000000002AC0000-0x0000000002ACD000-memory.dmp

Filesize
52KB

Download
memory/1364-17-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1364-33-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1364-35-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/1364-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1364-26-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1364-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1364-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1364-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1364-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1364-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2360-25-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/2360-22-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/2360-21-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download