e620368c0e4424f2207bd1b045c72af6a45ab9f70cb904a9b87eb098150203d5

Resubmissions

14-01-2025 05:40

250114-gc3syaykcv 10

14-01-2025 05:39

250114-gcgwgazqek 3

30-12-2024 20:05

241230-ytyc8ayqgy 10

Analysis

max time kernel
70s
max time network
66s
platform
windows7_x64
resource
win7-20240903-es
resource tags

arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows
submitted
14-01-2025 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e620368c0e4424f2207bd1b045c72af6a45ab9f70cb904a9b87eb098150203d5.zip
Size

262KB
MD5

c0500cafe34e3f5b730e2f35c8ac577f
SHA1

799b4b1d203c96cd37165778deda320b6ad56bc6
SHA256

e620368c0e4424f2207bd1b045c72af6a45ab9f70cb904a9b87eb098150203d5
SHA512

67d250745cf2cfdc8540a29c2d4aa193794f0d1f5e9026162b60a47b0cd0477a25ae11d381099be7e5060d37fb9f9e82ee7d9e084eb8e30eba1552589b5cc477
SSDEEP

6144:h6TIBWFI68ccfbUHbd0WEE6NSH3qgFPZcPkcfFLq:h6L78cjHOWve2qgYrFLq

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\bin_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.bin	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\bin_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\bin_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.bin\ = "bin_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\bin_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\bin_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1648	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1648	7zFM.exe
Token: 35	1648	7zFM.exe
Token: SeSecurityPrivilege	1648	7zFM.exe
Token: SeSecurityPrivilege	1648	7zFM.exe
Token: SeSecurityPrivilege	1648	7zFM.exe
Token: SeSecurityPrivilege	1648	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1648	7zFM.exe
1648	7zFM.exe
1648	7zFM.exe
1648	7zFM.exe
1648	7zFM.exe
1648	7zFM.exe
1648	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	AcroRd32.exe
2708	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2708	2648	rundll32.exe	34
PID 2648 wrote to memory of 2708	2648	rundll32.exe	34
PID 2648 wrote to memory of 2708	2648	rundll32.exe	34
PID 2648 wrote to memory of 2708	2648	rundll32.exe	34

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e620368c0e4424f2207bd1b045c72af6a45ab9f70cb904a9b87eb098150203d5.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1648

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\DHL __.pdf(5).bin
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\DHL __.pdf(5).bin"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\DHL __.pdf(5).bin

Filesize
555KB

MD5
6b0b4b91770ed2c332a13e78ac56af6d

SHA1
b96e951b5ee4617c6d6e3c1fd23c5d0ef8b3c11d

SHA256
8161225680dbb5c52e0192230c0d1b9b87120d92b289e14f93479e38024be17d

SHA512
b3e8354ca9a80d63a78eb90a74b29c4ce44d461cf9c11846e6232b382b5f95720cc5f6876179b99f42649441b5f0993fada5e470dff057b227cea961d62a8f2d

Download Submit