cbc97ea5a77496da7eda7da2c4120785847e07317da2684512b9980346b95d1d

Analysis

max time kernel
13s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
Size

5.2MB
MD5

72f10515a8d3fe89e004101e4cc7d25a
SHA1

74b129c558e9d3c3866517c420133db449972e94
SHA256

cbc97ea5a77496da7eda7da2c4120785847e07317da2684512b9980346b95d1d
SHA512

e92f96a2cf1265aff6a835142929ba69d6fc9e852b718a0dce00da7feb90185bb2e60f9db64c2fd1164cb5c04db7937b79920f7bbcdbaf7f998d227eb26bc88c
SSDEEP

192:/G/2VgqKGxmQtAy2dNQOa099GfsvYgmhT9zHJxhlQtAwimP1oy2+Ra1:/G/vg0xlGHjRNvQtAjQ14+w

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	Googlemg.ExE

Executes dropped EXE 2 IoCs

pid	Process
2360	Googlemg.ExE
2796	Googlemg.ExE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
File created	C:\Windows\Googlemg.ExE	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlemg.ExE	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googlemg.ExE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlemg.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlemg.ExE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2208	2164	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	30
PID 2164 wrote to memory of 2208	2164	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	30
PID 2164 wrote to memory of 2208	2164	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	30
PID 2164 wrote to memory of 2208	2164	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2360	2208	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2360	2208	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2360	2208	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	31
PID 2208 wrote to memory of 2360	2208	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2796	2360	Googlemg.ExE	32
PID 2360 wrote to memory of 2796	2360	Googlemg.ExE	32
PID 2360 wrote to memory of 2796	2360	Googlemg.ExE	32
PID 2360 wrote to memory of 2796	2360	Googlemg.ExE	32

C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\Googlemg.ExE
    "C:\Windows\Googlemg.ExE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\Googlemg.ExE
      "C:\Windows\Googlemg.ExE"
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
2980009a6aa2fe7511a58dc341ae01b5

SHA1
db170b7c0358adcf581ed1013486962c8e7e4b98

SHA256
8dfb23c3a2319801c11d08fe47085f1ca98ae448f7c9d17a747608424964f68c

SHA512
5e777f955f934e733c8773fde3067d3fcfd5b010a6c28f0dda7a61f7f6b8b0d8f2bed6595e220d05976c1876c2ffd7e464c71643f1ed05afe5f7ee94f72e0f38

Download Submit
C:\Windows\Googlemg.ExE

Filesize
29.5MB

MD5
7b204b3708bacd1db05be7d9abc062b4

SHA1
8540672e8135b01fe4f37469ee6f2bc93f96c30d

SHA256
bd346bd0100128365782e82f964b0f0da03c605b0aae15856d401581c1c4246d

SHA512
e7badff9b38480ec868abeea4da7fd9abe3a968f1694e6ee32897ac22b95986e4c7a0f009df7d127254c5c2b7055e7a77371dde43dee9c6815a3fa52a4ed7900

Download Submit