1ab36b9063ea025ad4c76af9c22d6abfd8b146176d458ee5d8a9fa19dbc651b3

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
Size

3.5MB
MD5

575ea62ef56a81ff54c95e278041a9f9
SHA1

7b5447a95b9dd928921caf53d1f7ff20d108035b
SHA256

1ab36b9063ea025ad4c76af9c22d6abfd8b146176d458ee5d8a9fa19dbc651b3
SHA512

294137d5bfda38314df4d29ea6d1fe1267f00c29d819c50c088725f7b0913163bfefe8a01334b73e75d14ad7b3c282aec62aa48b9b547c89c9afbcf0dbd02678
SSDEEP

98304:W7z4VzbVwXxyiz8TBWAVuDJovRWvH7puYnBF0FC:GebVyzgWlDJovRWvbccx

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4456	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
4456	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
4456	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Master Commander\Controls.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\DirectShowLib.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Fireball.CodeEditor.SyntaxFiles.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Fireball.CodeEditor.SyntaxFiles.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Viewers.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Asn1Utils.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Interop.Shell32.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\IsoUtils.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\lng\english.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\_ci_gentee	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Controls.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Fireball.CodeEditor.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Fireball.Windows.Forms.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\FreeImage.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Interop.Shell32.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\lng\deutsch.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Master Commander.exe	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\lng\deutsch.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\uninstall.ini	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Fireball.Core.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Fireball.Core.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Fireball.Win32.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Fireball.Windows.Forms.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\ICSharpCode.SharpZipLib.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\IsoUtils.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Master Commander.exe	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\pomoc.chm	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Viewers.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\masklist.lst	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\unrar.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Asn1Utils.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\DirectShowLib.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Fireball.CodeEditor.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Fireball.Win32.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\lng\bulgarian.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\lng\bulgarian.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\masklist.lst	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\uninstall.exe	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\Fireball.SyntaxDocument.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\lng\english.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\lng\francais.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\pomoc.chm	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\unrar.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\Fireball.SyntaxDocument.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\FreeImage.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\ICSharpCode.SharpZipLib.dll	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\lng\francais.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Master Commander\lng\polski.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Master Commander\lng\polski.lng	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\575ea62ef56a81ff54c95e278041a9f9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Master Commander\Master Commander.exe

Filesize
2.1MB

MD5
19a5b2065ca07eb9dea432388fc3ef5d

SHA1
1495dc02d2dcb966564ddd2eff30e7304d30159b

SHA256
07795c1ea1174dfb8cc308edf2ff86dcde8e0aab2320a040c08bfa59a49f9eb5

SHA512
5cd77c318f4b7aa937c265fe6c6234d5429b3e11c81ec2d866d98ad6016b3cbd508e9857fe55e14a4289ce36709ea09b36df4b9c0ac757340cb4835d558398c3

Download Submit
C:\Program Files (x86)\Master Commander\uninstall.ini

Filesize
2KB

MD5
89102b667e249afb446827693a8b75e8

SHA1
9d45e8b86c2fcc850ff9f7956b75d5ae50e91b27

SHA256
1d736c36c43c4cea1225389233c19ebc9bf7f193834d29b6c32251ed2981381b

SHA512
aa1902b337b8860ab0d25f7ed0b68c2023077c8705341fd49082f9e7ec2589f9c0e3446f6aedc08a669e18da978be5316d315d3e62ad4c76c59a88d2dcc38452

Download Submit
C:\Users\Admin\AppData\Local\Temp\genteeFB\guig.dll

Filesize
20KB

MD5
8757cd8c68b85d668f15befc13251d5e

SHA1
4ac9df9e507727072644e03815ab2f872e72fd89

SHA256
96d1906ef8f1ac224830da79bc9492aa21ffbacd4caa4fb44cc64dedf09047a2

SHA512
9a3286826d1ce780ce699dfd8d1244a94ce8700a89c75f2dbcfbae19e8609d243754067385364bdecb91e9108c11c062564e2d045652977faaf2e92d129b1a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\genteert.dll

Filesize
60KB

MD5
ceb49a8552067f2b08c93aaa38da3d12

SHA1
7f4275ced86f448eb29f0b26cf5fe86fe43c783f

SHA256
904b926c5359a4058a80057cdc4bed4c0be43c2e1c8993e870cbab69831a84b4

SHA512
d2a593bc04a3497b7cfbfd2a89add0dbf87f1e2fd159af9b44155cf3d35e16b3a4ae7ada194db94258385c5b9de49abb1e3ad8d26cbfc444d03798433e8e843d

Download Submit
memory/4456-19-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download