2d3202278a3482f1a0a3b04afd063d6777f5ef91fc7f504676896aab99504bfa

Analysis

max time kernel
135s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 09:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

738065136a509193ebe957e5f66b3600_JaffaCakes118.exe
Size

476KB
MD5

738065136a509193ebe957e5f66b3600
SHA1

d864d76ce63eb33b6a88b5bd941d709d99c9b05f
SHA256

2d3202278a3482f1a0a3b04afd063d6777f5ef91fc7f504676896aab99504bfa
SHA512

356abce7763c73c36125dcb4c7d181ec6b3a5e653ccdabf1dad09b3c34bd191828c7a8f578f0c586b437f1da7628d0f028eec52a9af1513e638428ac2b841d08
SSDEEP

6144:bJZv5zFiIOuoUsquTFWF7ySG1KnuJbw5mo2hHk6b1LC7t/jIp:1LFmKvt/O

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4356 set thread context of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84
PID 4356 wrote to memory of 3140	4356	738065136a509193ebe957e5f66b3600_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\738065136a509193ebe957e5f66b3600_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\738065136a509193ebe957e5f66b3600_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\738065136a509193ebe957e5f66b3600_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\738065136a509193ebe957e5f66b3600_JaffaCakes118.exe"
  2⤵
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3140-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3140-2-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3140-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download