eb148775b1ecebf3cced4ce8404bb65b4964b133f2cda920682be66e24384e94

Analysis

max time kernel
137s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
Size

116KB
MD5

82716bb4b431ad6d5877e83e20aac059
SHA1

bc79916e193cbaf2fdfed23261ce9624451e94c9
SHA256

eb148775b1ecebf3cced4ce8404bb65b4964b133f2cda920682be66e24384e94
SHA512

9a621f623e57aa7a1abe5e906c821d13f8e00ca45d4d2136d141f7515eea67c979094ef09f7dbed1e2c422b444d22c33e01c3fbe16cd58f4e674abe9f4e3d459
SSDEEP

1536:EuZR7UI4XUFLL44WqEigJxwqSEXewmCOOHOpT20cm0E46s0DeiRqWkzfftLx44a+:E4R4Xu4xigVXFpHO120v/bem6ftQnB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2696	servs.exe
2840	servs.exe
2576	servs.exe
2388	servs.exe
2064	servs.exe
1132	servs.exe
2032	servs.exe
2972	servs.exe
960	servs.exe
1540	servs.exe

Loads dropped DLL 20 IoCs

pid	Process
2848	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
2848	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
2696	servs.exe
2696	servs.exe
2840	servs.exe
2840	servs.exe
2576	servs.exe
2576	servs.exe
2388	servs.exe
2388	servs.exe
2064	servs.exe
2064	servs.exe
1132	servs.exe
1132	servs.exe
2032	servs.exe
2032	servs.exe
2972	servs.exe
2972	servs.exe
960	servs.exe
960	servs.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File opened for modification	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	servs.exe
File created	C:\Windows\SysWOW64\servs.exe	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servs.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2696	2848	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe	31
PID 2848 wrote to memory of 2696	2848	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe	31
PID 2848 wrote to memory of 2696	2848	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe	31
PID 2848 wrote to memory of 2696	2848	82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2840	2696	servs.exe	32
PID 2696 wrote to memory of 2840	2696	servs.exe	32
PID 2696 wrote to memory of 2840	2696	servs.exe	32
PID 2696 wrote to memory of 2840	2696	servs.exe	32
PID 2840 wrote to memory of 2576	2840	servs.exe	33
PID 2840 wrote to memory of 2576	2840	servs.exe	33
PID 2840 wrote to memory of 2576	2840	servs.exe	33
PID 2840 wrote to memory of 2576	2840	servs.exe	33
PID 2576 wrote to memory of 2388	2576	servs.exe	34
PID 2576 wrote to memory of 2388	2576	servs.exe	34
PID 2576 wrote to memory of 2388	2576	servs.exe	34
PID 2576 wrote to memory of 2388	2576	servs.exe	34
PID 2388 wrote to memory of 2064	2388	servs.exe	35
PID 2388 wrote to memory of 2064	2388	servs.exe	35
PID 2388 wrote to memory of 2064	2388	servs.exe	35
PID 2388 wrote to memory of 2064	2388	servs.exe	35
PID 2064 wrote to memory of 1132	2064	servs.exe	37
PID 2064 wrote to memory of 1132	2064	servs.exe	37
PID 2064 wrote to memory of 1132	2064	servs.exe	37
PID 2064 wrote to memory of 1132	2064	servs.exe	37
PID 1132 wrote to memory of 2032	1132	servs.exe	38
PID 1132 wrote to memory of 2032	1132	servs.exe	38
PID 1132 wrote to memory of 2032	1132	servs.exe	38
PID 1132 wrote to memory of 2032	1132	servs.exe	38
PID 2032 wrote to memory of 2972	2032	servs.exe	39
PID 2032 wrote to memory of 2972	2032	servs.exe	39
PID 2032 wrote to memory of 2972	2032	servs.exe	39
PID 2032 wrote to memory of 2972	2032	servs.exe	39
PID 2972 wrote to memory of 960	2972	servs.exe	40
PID 2972 wrote to memory of 960	2972	servs.exe	40
PID 2972 wrote to memory of 960	2972	servs.exe	40
PID 2972 wrote to memory of 960	2972	servs.exe	40
PID 960 wrote to memory of 1540	960	servs.exe	41
PID 960 wrote to memory of 1540	960	servs.exe	41
PID 960 wrote to memory of 1540	960	servs.exe	41
PID 960 wrote to memory of 1540	960	servs.exe	41

C:\Users\Admin\AppData\Local\Temp\82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\servs.exe
  C:\Windows\system32\servs.exe 476 "C:\Users\Admin\AppData\Local\Temp\82716bb4b431ad6d5877e83e20aac059_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\servs.exe
    C:\Windows\system32\servs.exe 528 "C:\Windows\SysWOW64\servs.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\servs.exe
      C:\Windows\system32\servs.exe 532 "C:\Windows\SysWOW64\servs.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 536 "C:\Windows\SysWOW64\servs.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 540 "C:\Windows\SysWOW64\servs.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 552 "C:\Windows\SysWOW64\servs.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 548 "C:\Windows\SysWOW64\servs.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 556 "C:\Windows\SysWOW64\servs.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 564 "C:\Windows\SysWOW64\servs.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\servs.exe
        
        C:\Windows\system32\servs.exe 560 "C:\Windows\SysWOW64\servs.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\servs.exe

Filesize
116KB

MD5
82716bb4b431ad6d5877e83e20aac059

SHA1
bc79916e193cbaf2fdfed23261ce9624451e94c9

SHA256
eb148775b1ecebf3cced4ce8404bb65b4964b133f2cda920682be66e24384e94

SHA512
9a621f623e57aa7a1abe5e906c821d13f8e00ca45d4d2136d141f7515eea67c979094ef09f7dbed1e2c422b444d22c33e01c3fbe16cd58f4e674abe9f4e3d459

Download Submit
memory/960-57-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1132-45-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2032-49-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2064-41-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2388-37-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2576-28-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2576-27-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2576-33-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2696-14-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2696-22-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-29-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2840-26-0x0000000002350000-0x000000000240B000-memory.dmp

Filesize
748KB

Download
memory/2840-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2840-20-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2848-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2848-16-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2848-11-0x0000000002750000-0x000000000280B000-memory.dmp

Filesize
748KB

Download
memory/2848-12-0x0000000002750000-0x000000000280B000-memory.dmp

Filesize
748KB

Download
memory/2848-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2972-53-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download