1811676a18080914f8b25792a50f2253b6c54b9f54eb35abe6bfab50c5fa72d5

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 09:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe
Size

356KB
MD5

6eef31ce6c5d5b0c8da435e308875291
SHA1

45ed6c062faf8aef2dd3cb1d5b204e0ea4072a6c
SHA256

1811676a18080914f8b25792a50f2253b6c54b9f54eb35abe6bfab50c5fa72d5
SHA512

63d778f514199a978615beefa749c867d55a4360d818e0c6bf0a6123cbef251168b316fb552224e0d985a7f0765da4713d2aa1688a9f38ad5a9d2881f507fba1
SSDEEP

3072:7vboV83s5AbCorUE8lXMWCs4dmmQFI2MlouGW3dzL8ipq32RKODNsLendWy6ilRb:7vbx8CrUBF4dmmcIBX9tzwZOgenQauW

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	reT9yTjcd9X.exe

Executes dropped EXE 2 IoCs

pid	Process
828	reT9yTjcd9X.exe
2852	reT9yTjcd9X.exe

Loads dropped DLL 4 IoCs

pid	Process
4664	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe
4664	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe
2852	reT9yTjcd9X.exe
2852	reT9yTjcd9X.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fzrBSQ06WLJBJgx = "C:\\ProgramData\\urgDs6oi\\reT9yTjcd9X.exe"	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 4664	4920	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	85
PID 828 set thread context of 2852	828	reT9yTjcd9X.exe	89
PID 2852 set thread context of 2232	2852	reT9yTjcd9X.exe	111

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reT9yTjcd9X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reT9yTjcd9X.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4664	4920	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	85
PID 4920 wrote to memory of 4664	4920	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	85
PID 4920 wrote to memory of 4664	4920	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	85
PID 4920 wrote to memory of 4664	4920	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	85
PID 4920 wrote to memory of 4664	4920	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	85
PID 4664 wrote to memory of 828	4664	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	88
PID 4664 wrote to memory of 828	4664	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	88
PID 4664 wrote to memory of 828	4664	6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe	88
PID 828 wrote to memory of 2852	828	reT9yTjcd9X.exe	89
PID 828 wrote to memory of 2852	828	reT9yTjcd9X.exe	89
PID 828 wrote to memory of 2852	828	reT9yTjcd9X.exe	89
PID 828 wrote to memory of 2852	828	reT9yTjcd9X.exe	89
PID 828 wrote to memory of 2852	828	reT9yTjcd9X.exe	89
PID 2852 wrote to memory of 2868	2852	reT9yTjcd9X.exe	90
PID 2852 wrote to memory of 2868	2852	reT9yTjcd9X.exe	90
PID 2852 wrote to memory of 2868	2852	reT9yTjcd9X.exe	90
PID 2852 wrote to memory of 2700	2852	reT9yTjcd9X.exe	98
PID 2852 wrote to memory of 2700	2852	reT9yTjcd9X.exe	98
PID 2852 wrote to memory of 2700	2852	reT9yTjcd9X.exe	98
PID 2852 wrote to memory of 1684	2852	reT9yTjcd9X.exe	99
PID 2852 wrote to memory of 1684	2852	reT9yTjcd9X.exe	99
PID 2852 wrote to memory of 1684	2852	reT9yTjcd9X.exe	99
PID 2852 wrote to memory of 3824	2852	reT9yTjcd9X.exe	101
PID 2852 wrote to memory of 3824	2852	reT9yTjcd9X.exe	101
PID 2852 wrote to memory of 3824	2852	reT9yTjcd9X.exe	101
PID 2852 wrote to memory of 2232	2852	reT9yTjcd9X.exe	111
PID 2852 wrote to memory of 2232	2852	reT9yTjcd9X.exe	111
PID 2852 wrote to memory of 2232	2852	reT9yTjcd9X.exe	111
PID 2852 wrote to memory of 2232	2852	reT9yTjcd9X.exe	111
PID 2852 wrote to memory of 2232	2852	reT9yTjcd9X.exe	111

C:\Users\Admin\AppData\Local\Temp\6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6eef31ce6c5d5b0c8da435e308875291_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\ProgramData\urgDs6oi\reT9yTjcd9X.exe
    "C:\ProgramData\urgDs6oi\reT9yTjcd9X.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\ProgramData\urgDs6oi\reT9yTjcd9X.exe
      "C:\ProgramData\urgDs6oi\reT9yTjcd9X.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /i:2852
        5⤵
        
        PID:2868
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{1FAB8CFE-9860-415C-A6CA-AA7D12021940}\2.0.0.34\BGAUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{1FAB8CFE-9860-415C-A6CA-AA7D12021940}\2.0.0.34\BGAUpdate.exe" /i:2852
        5⤵
        
        PID:2700
    - - C:\Program Files (x86)\Internet Explorer\ExtExport.exe
        
        "C:\Program Files (x86)\Internet Explorer\ExtExport.exe" /i:2852
        5⤵
        
        PID:1684
    - - C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /i:2852
        5⤵
        
        PID:3824
    - - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /i:2852
        5⤵
        
        PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\urgDs6oi\RCX8E94.tmp

Filesize
356KB

MD5
ede3b21bd5398870807981e4b3c13f90

SHA1
33d35ba3168ef80873a4aa8f9c718aa448118119

SHA256
17bf1dea4fbe0ae656dfc5caa6f05446d25b580d510f10c9270d3cfed5d72d74

SHA512
bd4d646a5a2bef12fafae2034e30b560b47609ef585bc5689962db3bb2d4bda78e76b7ce493c00f3776d4a0d68275778b011c0b22b9d9db7455344517c0dd964

Download Submit
C:\ProgramData\urgDs6oi\reT9yTjcd9X.exe

Filesize
356KB

MD5
6eef31ce6c5d5b0c8da435e308875291

SHA1
45ed6c062faf8aef2dd3cb1d5b204e0ea4072a6c

SHA256
1811676a18080914f8b25792a50f2253b6c54b9f54eb35abe6bfab50c5fa72d5

SHA512
63d778f514199a978615beefa749c867d55a4360d818e0c6bf0a6123cbef251168b316fb552224e0d985a7f0765da4713d2aa1688a9f38ad5a9d2881f507fba1

Download Submit
memory/828-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/828-29-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/828-22-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/2232-48-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/2232-44-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/2852-37-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2852-36-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2852-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2852-47-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/2852-27-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/2852-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2852-38-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/4664-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4664-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4664-5-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/4664-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4664-21-0x0000000075C80000-0x0000000075D70000-memory.dmp

Filesize
960KB

Download
memory/4664-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4920-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4920-0-0x0000000075CA0000-0x0000000075CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads