cbc97ea5a77496da7eda7da2c4120785847e07317da2684512b9980346b95d1d

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
Size

5.2MB
MD5

72f10515a8d3fe89e004101e4cc7d25a
SHA1

74b129c558e9d3c3866517c420133db449972e94
SHA256

cbc97ea5a77496da7eda7da2c4120785847e07317da2684512b9980346b95d1d
SHA512

e92f96a2cf1265aff6a835142929ba69d6fc9e852b718a0dce00da7feb90185bb2e60f9db64c2fd1164cb5c04db7937b79920f7bbcdbaf7f998d227eb26bc88c
SSDEEP

192:/G/2VgqKGxmQtAy2dNQOa099GfsvYgmhT9zHJxhlQtAwimP1oy2+Ra1:/G/vg0xlGHjRNvQtAjQ14+w

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2364	Googlekm.ExE

Executes dropped EXE 2 IoCs

pid	Process
2384	Googlekm.ExE
2364	Googlekm.ExE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
File created	C:\Windows\Googlekm.ExE	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlekm.ExE	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googlekm.ExE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlekm.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlekm.ExE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2800	2732	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	84
PID 2732 wrote to memory of 2800	2732	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	84
PID 2732 wrote to memory of 2800	2732	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	84
PID 2800 wrote to memory of 2384	2800	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	87
PID 2800 wrote to memory of 2384	2800	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	87
PID 2800 wrote to memory of 2384	2800	72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe	87
PID 2384 wrote to memory of 2364	2384	Googlekm.ExE	89
PID 2384 wrote to memory of 2364	2384	Googlekm.ExE	89
PID 2384 wrote to memory of 2364	2384	Googlekm.ExE	89

C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\72f10515a8d3fe89e004101e4cc7d25a_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Googlekm.ExE
    "C:\Windows\Googlekm.ExE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\Googlekm.ExE
      "C:\Windows\Googlekm.ExE"
      4⤵
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
2980009a6aa2fe7511a58dc341ae01b5

SHA1
db170b7c0358adcf581ed1013486962c8e7e4b98

SHA256
8dfb23c3a2319801c11d08fe47085f1ca98ae448f7c9d17a747608424964f68c

SHA512
5e777f955f934e733c8773fde3067d3fcfd5b010a6c28f0dda7a61f7f6b8b0d8f2bed6595e220d05976c1876c2ffd7e464c71643f1ed05afe5f7ee94f72e0f38

Download Submit
C:\Windows\Googlekm.ExE

Filesize
28.4MB

MD5
28bc8ced404a9418f19392f4f488c7aa

SHA1
152c76aee6fe615f523a6ca403c9ebf44d68355c

SHA256
a58f3d3979ed6aa43797f151314149a6a4eb6d5e9b0fc96544f0a374baab117a

SHA512
52d5379a95b7c0b41dc1767da8859d2f37b1bbc98e69cb48b20dcde8ddff2e84dbc77f2729be3d3409bb7c32a21c2ef0616592e3a84e45a690fdb79b3238b6ce

Download Submit