d3257ae8197f50ea531263f79ec829700c8a114ea5326551bae26bdaac61d06e

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe
Size

571KB
MD5

9ead56f9350f3516c20393d444c4d7ed
SHA1

7001b8e3324fa30b3bdcf516ef0d56e9702b9a80
SHA256

d3257ae8197f50ea531263f79ec829700c8a114ea5326551bae26bdaac61d06e
SHA512

df26a28ffe9e17bfeeef87eda2142f00ec797d914e5c6fac74dc5695222834341270a24d0e845a78c55f57ee34af5980c9372c846e8a2667b0b51cb2ea5cbc41
SSDEEP

12288:5MMnglWkhK70cEbt/yoQSMPi2JIU87W/vTdg+OKQ2HqnSlsfE8x:5M44WkhA0LlyoQSMP3JI2vTdgCyH8c

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ko2233.exe

pid process

1872 ko2233.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
1872	ko2233.exe

Drops file in Program Files directory 2 IoCs

Processes:

ko2233.exe

description	ioc	process
File created	C:\Program Files\NetMeeting\win.vbs	ko2233.exe
File opened for modification	C:\Program Files\NetMeeting\win.vbs	ko2233.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ko2233.exeregedit.execmd.exe9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ko2233.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

640 regedit.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ko2233.exe

pid process

1872 ko2233.exe
1872 ko2233.exe

pid	process
640	regedit.exe

pid	process
1872	ko2233.exe
1872	ko2233.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exeko2233.exe

description	pid	process	target process
PID 4040 wrote to memory of 1872	4040	9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe	ko2233.exe
PID 4040 wrote to memory of 1872	4040	9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe	ko2233.exe
PID 4040 wrote to memory of 1872	4040	9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe	ko2233.exe
PID 1872 wrote to memory of 640	1872	ko2233.exe	regedit.exe
PID 1872 wrote to memory of 640	1872	ko2233.exe	regedit.exe
PID 1872 wrote to memory of 640	1872	ko2233.exe	regedit.exe
PID 1872 wrote to memory of 1496	1872	ko2233.exe	cmd.exe
PID 1872 wrote to memory of 1496	1872	ko2233.exe	cmd.exe
PID 1872 wrote to memory of 1496	1872	ko2233.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ead56f9350f3516c20393d444c4d7ed_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040
- C:\ProgramData\ko2233.exe
  C:\ProgramData\ko2233.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\WINDOWS\temp\tmp.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del ko2233.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ko2233.exe

Filesize
1.2MB

MD5
5555a8f5c2656185a9385981a24db0f3

SHA1
cccdbf7cced5abf7811a242c573ad88cab7f11c6

SHA256
eb3cc01ad47d40a9a67ceaa3f88f9aca907ccdbc6f0b186a616b27d78b8bd778

SHA512
ca31e2976484e88636165ecdf66d999625dcc5964a24d6be9d85539d6bedb1adb51d43d9a573b3e7869dfade5998a898d25c039109dd7482ba846bbf65e956c5

Download Submit
C:\Windows\Temp\tmp.reg

Filesize
1KB

MD5
a95044fc8bd71a6ecdd487f2a30f1d4e

SHA1
0e1ba880fdc2ac01b84febdbb4b5325a5ecfc706

SHA256
77730b194cf461a72285734ae3aafa83b435bb6b5587f31779f2ef5e43666906

SHA512
ee8d894e25716c5b54809855ca73ae680dee9b01478cbd8b9417d3d388448df496b27c1f7ab75a9757dc76d8e41ad1a64a5a720e249fcd9a25707ccda5f6692d

Download Submit
memory/1872-5-0x0000000002160000-0x000000000216D000-memory.dmp

Filesize
52KB

Download
memory/1872-7-0x00000000021E0000-0x00000000021FC000-memory.dmp

Filesize
112KB

Download
memory/1872-11-0x00000000021E0000-0x00000000021FC000-memory.dmp

Filesize
112KB

Download
memory/1872-12-0x0000000002D20000-0x0000000002D5E000-memory.dmp

Filesize
248KB

Download
memory/1872-13-0x0000000002D20000-0x0000000002D5E000-memory.dmp

Filesize
248KB

Download