47a8bbcdbacf5ffc6824fab2b4dd3d0625174f9d68aa67fd0eece5ce9fd2d7db

Analysis

max time kernel
1s
max time network
5s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/02/2025, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe
Size

1.2MB
MD5

07c0b59dee261086d7a85b18bf4c1689
SHA1

a5914159aa80b1b4edca311344bd8d49331fb62f
SHA256

47a8bbcdbacf5ffc6824fab2b4dd3d0625174f9d68aa67fd0eece5ce9fd2d7db
SHA512

a62a654a07f9a6d71a30f0189b03c27008594aabdc7819e0a9d63d75297a42bb3014de64d07c25a52518ff590b433f38d5289d99a80105817955adf10247afef
SSDEEP

12288:zRz5f7CiUySyZplm/VK7Ba1gMUIC2DjxOCDQtaHehQK8y5Av3vW1pIhrRRhsLrIu:zRdfUkC94sUC/vnakTTjcccV

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2368	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe
Token: SeDebugPrivilege	2368	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2372	2520	JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe	30
PID 2520 wrote to memory of 2372	2520	JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe	30
PID 2520 wrote to memory of 2372	2520	JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe	30
PID 2520 wrote to memory of 2372	2520	JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe	30
PID 2372 wrote to memory of 2368	2372	cmd.exe	32
PID 2372 wrote to memory of 2368	2372	cmd.exe	32
PID 2372 wrote to memory of 2368	2372	cmd.exe	32
PID 2372 wrote to memory of 2368	2372	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\caiz.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caiz.bat

Filesize
241B

MD5
be8f2e424147c9ae77a14a27c7a8672d

SHA1
a870eea97431ab2e93a5ca6fc4088a3b0001736e

SHA256
8c59f04ca5b416dcbf2d16b828a60c3ed843df614e5147a5c8152d67478bd460

SHA512
127e0b0987ba70ac1ff92973cd6cf9066703ea793e33639a14d3fb90d054458a33618cb31b6e583504cfb8c03e6121096fb31ed30d9e50ea4e5395b4ee34b6aa

Download Submit
memory/2520-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download