018d97cef4258673476c27b086ed7af05f5c33ec7c916626d29e37713fcc7438

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
Size

41KB
MD5

72f91bbe27075fb1bd3d8db3bc425190
SHA1

789e2841058a91de3f051738f0064f1114f3d069
SHA256

018d97cef4258673476c27b086ed7af05f5c33ec7c916626d29e37713fcc7438
SHA512

2dd49d35fc57f96b2b8cd808215ecb73e8cc45fd5b70aef76476910c866dd501ad2083ad3017ad012ba4d0205d85bdb0db769a43e71881b65d4b14313475e7ff
SSDEEP

768:7sfB5JNtfsCqEiiQSy1a0Ys4bJQ9cJ4CkAyueBsiD9ubfHreQHHQtAUEXru1+srg:G5JTfsY0w9s2VzFHretAmR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2956	csrs.exe
2860	csrs.exe
3488	csrs.exe
1648	csrs.exe
4320	csrs.exe
2036	csrs.exe
1656	csrs.exe
1892	csrs.exe
628	csrs.exe
2932	csrs.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	csrs.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2956	1952	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe	84
PID 1952 wrote to memory of 2956	1952	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe	84
PID 1952 wrote to memory of 2956	1952	72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe	84
PID 2956 wrote to memory of 2860	2956	csrs.exe	96
PID 2956 wrote to memory of 2860	2956	csrs.exe	96
PID 2956 wrote to memory of 2860	2956	csrs.exe	96
PID 2860 wrote to memory of 3488	2860	csrs.exe	98
PID 2860 wrote to memory of 3488	2860	csrs.exe	98
PID 2860 wrote to memory of 3488	2860	csrs.exe	98
PID 3488 wrote to memory of 1648	3488	csrs.exe	101
PID 3488 wrote to memory of 1648	3488	csrs.exe	101
PID 3488 wrote to memory of 1648	3488	csrs.exe	101
PID 1648 wrote to memory of 4320	1648	csrs.exe	102
PID 1648 wrote to memory of 4320	1648	csrs.exe	102
PID 1648 wrote to memory of 4320	1648	csrs.exe	102
PID 4320 wrote to memory of 2036	4320	csrs.exe	104
PID 4320 wrote to memory of 2036	4320	csrs.exe	104
PID 4320 wrote to memory of 2036	4320	csrs.exe	104
PID 2036 wrote to memory of 1656	2036	csrs.exe	105
PID 2036 wrote to memory of 1656	2036	csrs.exe	105
PID 2036 wrote to memory of 1656	2036	csrs.exe	105
PID 1656 wrote to memory of 1892	1656	csrs.exe	114
PID 1656 wrote to memory of 1892	1656	csrs.exe	114
PID 1656 wrote to memory of 1892	1656	csrs.exe	114
PID 1892 wrote to memory of 628	1892	csrs.exe	115
PID 1892 wrote to memory of 628	1892	csrs.exe	115
PID 1892 wrote to memory of 628	1892	csrs.exe	115
PID 628 wrote to memory of 2932	628	csrs.exe	119
PID 628 wrote to memory of 2932	628	csrs.exe	119
PID 628 wrote to memory of 2932	628	csrs.exe	119

C:\Users\Admin\AppData\Local\Temp\72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\csrs.exe
  C:\Windows\system32\csrs.exe 1112 "C:\Users\Admin\AppData\Local\Temp\72f91bbe27075fb1bd3d8db3bc425190_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\csrs.exe
    C:\Windows\system32\csrs.exe 1120 "C:\Windows\SysWOW64\csrs.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\csrs.exe
      C:\Windows\system32\csrs.exe 1076 "C:\Windows\SysWOW64\csrs.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 1092 "C:\Windows\SysWOW64\csrs.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 1096 "C:\Windows\SysWOW64\csrs.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 1080 "C:\Windows\SysWOW64\csrs.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 1100 "C:\Windows\SysWOW64\csrs.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 1108 "C:\Windows\SysWOW64\csrs.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 1088 "C:\Windows\SysWOW64\csrs.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\csrs.exe
        
        C:\Windows\system32\csrs.exe 1116 "C:\Windows\SysWOW64\csrs.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\csrs.exe

Filesize
41KB

MD5
72f91bbe27075fb1bd3d8db3bc425190

SHA1
789e2841058a91de3f051738f0064f1114f3d069

SHA256
018d97cef4258673476c27b086ed7af05f5c33ec7c916626d29e37713fcc7438

SHA512
2dd49d35fc57f96b2b8cd808215ecb73e8cc45fd5b70aef76476910c866dd501ad2083ad3017ad012ba4d0205d85bdb0db769a43e71881b65d4b14313475e7ff

Download Submit
memory/628-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1648-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1892-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1952-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-15-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2860-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-9-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3488-19-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3488-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download