e688bf3fa8b2cf79f44b6d70afd55edb6258750f50997d0f9b76e0af3ed824a6

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe
Size

60KB
MD5

9f14fd4f9657342f3df783a7a6bb0d2c
SHA1

a2fbc7d2fb9f4bc5246d726303d0909fa3914400
SHA256

e688bf3fa8b2cf79f44b6d70afd55edb6258750f50997d0f9b76e0af3ed824a6
SHA512

0cce69582ffc0807b770404586708629d42ce805b3d7eb08d67f24cef8e077498e07486fef401f8f193bc38d679cab892fd463de0705900bc98b1706b3382ef8
SSDEEP

768:xOSpAZko5ewReAS4sIsttee+0dGqWTvBfnuAuvyBPFpU1tD:xObZkzrlyeBGqW9fuDvestD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2512	RTHDCPD.EXE

Executes dropped EXE 1 IoCs

pid	Process
2512	RTHDCPD.EXE

Loads dropped DLL 2 IoCs

pid	Process
1756	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe
1756	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\SCREENDEXE\RTHDCPD.EXE	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe
File opened for modification	C:\Program Files\SCREENDEXE\RTHDCPD.EXE	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RTHDCPD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1756	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe
2512	RTHDCPD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2512	1756	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2512	1756	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2512	1756	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2512	1756	9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f14fd4f9657342f3df783a7a6bb0d2c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files\SCREENDEXE\RTHDCPD.EXE
  "C:\Program Files\SCREENDEXE\RTHDCPD.EXE"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\TempTxt

Filesize
84B

MD5
8566cfe06a9539d410fd46426a365ca1

SHA1
af484cefcbd4325de1beda5a5483bb0f7caafd44

SHA256
1b8729c0a72948b17d594ead3b6512e1fd056e74ee4b572c720cf3e2c7f0f965

SHA512
1ec8543ab50085ab031ebcbeae6d31f75e8f8274b01774a2662803cdea6570e4d13a536dc1543825021961f59e59dfea9de060268c615033e6f7fe911b64d55c

Download Submit
\Program Files\SCREENDEXE\RTHDCPD.EXE

Filesize
6.7MB

MD5
5ba3e10946d7492a12b77e287cb01aff

SHA1
74d8b68eb84cfafbb5b8866363f018b2521e8348

SHA256
e48986c4fc424cf84dbda824bd80133a27ac638518d90fd04324fde2c8668584

SHA512
df393361cf92a75eb99a24f62af101ea8e4bbe85851fde738a842120736ecb73d112e4c0bad49fb4bcda40c5695037e8ed289616d9d7128c5d17b1bdc7dde3a4

Download Submit