1111c6d4e534b6a777b8c22194e97ce2218436ec0767deeecf24c020d3ff452c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6848415f63163335950d942ec05925d1_JaffaCakes118.exe
Size

129KB
MD5

6848415f63163335950d942ec05925d1
SHA1

120a89c8619a572052bb5796f7ae27b0be4f5ff5
SHA256

1111c6d4e534b6a777b8c22194e97ce2218436ec0767deeecf24c020d3ff452c
SHA512

ad95ab25d9af5a61612aac523471456ff7106bb5456e071d7697710ad3ba031162382e35dd45516a8ac6c1f99fcff057f027078f45a24e6ef367363b6ba34802
SSDEEP

3072:MQIURTXJN0ZLpPVcBeNoWAlZEIKhkoQjrOSE:Msv0ZlPKQovlnKh+jrS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1876	BetterInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6848415f63163335950d942ec05925d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BetterInstaller.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1876	BetterInstaller.exe
1876	BetterInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1876	2020	6848415f63163335950d942ec05925d1_JaffaCakes118.exe	84
PID 2020 wrote to memory of 1876	2020	6848415f63163335950d942ec05925d1_JaffaCakes118.exe	84
PID 2020 wrote to memory of 1876	2020	6848415f63163335950d942ec05925d1_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\6848415f63163335950d942ec05925d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6848415f63163335950d942ec05925d1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\TempDIR\BetterInstaller.exe
  "C:\Users\Admin\AppData\Local\TempDIR\BetterInstaller.exe" /affid "lionskin" /id "8skinpack64" /name "8 Skin Pack 64"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempDIR\BetterInstaller.exe

Filesize
193KB

MD5
9f633bcbad2408a47022010192d60863

SHA1
285a99a70ba7f9c85e0e572bfb69c2c648415d9f

SHA256
738a98aaf02f6f3077dc91aee772649f7bdd917bcdf0915ac7b3b449551ff7df

SHA512
d41fe61777ce34907f8c03e66bd4c07374ab21a988556572424dd7ceabeccf7ac0bd416710abc9a6a2749dd649bc7ba9e02b49c8ed24b58a57b132980609a3f3

Download Submit
memory/1876-5-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1876-76-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download