53fac46129abda3d4e515a3bec0980ca1e44ba57fd7aeec3d624bd9aa6680526

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe
Size

131KB
MD5

a4d856eb0a221fa7ca6c020db37b0c25
SHA1

c81ff23cc49a0b3e66451df743a001e0c7ffe65d
SHA256

53fac46129abda3d4e515a3bec0980ca1e44ba57fd7aeec3d624bd9aa6680526
SHA512

e784ed6e07875fd10fa1c0aeca21e84a60f64e2b15f127cbcd1bf847c99fab31eb2b211b2118de3b15dcf3a1176408ea4b8a217c683a4096ae273663dbb4bd49
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKP:xPd4n/M+WLcilrpgGH/GwY87mVmIXf

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	wn2ra4ohzdr.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2052	2316	a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2052	2316	a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2052	2316	a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2052	2316	a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2704	2052	wn2ra4ohzdr.exe	32
PID 2052 wrote to memory of 2704	2052	wn2ra4ohzdr.exe	32
PID 2052 wrote to memory of 2704	2052	wn2ra4ohzdr.exe	32
PID 2052 wrote to memory of 2704	2052	wn2ra4ohzdr.exe	32

C:\Users\Admin\AppData\Local\Temp\a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4d856eb0a221fa7ca6c020db37b0c25_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
  "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
    "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
    3⤵
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe

Filesize
131KB

MD5
5b9e51e4570cd68d321a99250f13a3e6

SHA1
8e12370e1d1a2d1249bfe22aa78adca4370dffed

SHA256
ca3b40c39c3859489b304f4288be6f1e406800e636d83860864524d8f6656f86

SHA512
da5a614820ec97833bf7c7370183fea6833f86ce537c1402c526128393e61585ba67e6339d9b75b723cd5271ba520043c7d125982381699a6ff83184308f462d

Download Submit
memory/2052-13-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-14-0x0000000001310000-0x0000000001338000-memory.dmp

Filesize
160KB

Download
memory/2052-15-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-16-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-17-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x0000000000860000-0x0000000000888000-memory.dmp

Filesize
160KB

Download
memory/2316-2-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-3-0x0000000000680000-0x00000000006A0000-memory.dmp

Filesize
128KB

Download
memory/2316-12-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads