36d2b1ac5662194d9d439b5d12c0fdde7b7e6ee3797f725f3d220e7a4c1afef5

Analysis

max time kernel
138s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74de6ed4a7e8f9fd65a14d74ee3ac41c_JaffaCakes118.exe
Size

1.6MB
MD5

74de6ed4a7e8f9fd65a14d74ee3ac41c
SHA1

aa3241c8482db7ed98d8f05ba624c7602c5f6f46
SHA256

36d2b1ac5662194d9d439b5d12c0fdde7b7e6ee3797f725f3d220e7a4c1afef5
SHA512

0a0e5cb363d0f406af15fc700e9bc8c3cdc2f062334641dcf414aa8d4ae1e8821aeaefb686245f7a536dd548751f296a0cc0f2d542c1f3028bc892d738b6c735
SSDEEP

24576:fJmnX0tC1tgeZYBmAeGY54MQ0kP/FP7D71iSV+TM2tdjcyrq0xaa7Tif5GjHYu8:hmXNtKBKNAd7D7ovT7dcyrqKaz1u8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5004	GLBE01F.tmp

Loads dropped DLL 1 IoCs

pid	Process
5004	GLBE01F.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLBE01F.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74de6ed4a7e8f9fd65a14d74ee3ac41c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLBE01F.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 5004	1756	74de6ed4a7e8f9fd65a14d74ee3ac41c_JaffaCakes118.exe	84
PID 1756 wrote to memory of 5004	1756	74de6ed4a7e8f9fd65a14d74ee3ac41c_JaffaCakes118.exe	84
PID 1756 wrote to memory of 5004	1756	74de6ed4a7e8f9fd65a14d74ee3ac41c_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\74de6ed4a7e8f9fd65a14d74ee3ac41c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74de6ed4a7e8f9fd65a14d74ee3ac41c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\GLBE01F.tmp
  C:\Users\Admin\AppData\Local\Temp\GLBE01F.tmp 4736 C:\Users\Admin\AppData\Local\Temp\74DE6E~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLBE01F.tmp

Filesize
70KB

MD5
eacd05bae9c1b8b3fc8b4fa715b3a175

SHA1
a44f371d235d544679cecd286120e325fc8daac1

SHA256
5c2938388e282062107ae82525dd240c4f56a28546c05151552352d4eb1df91f

SHA512
88d1bb44f1416ec3d038f3dfea6f1830b396112bea838b5aebea1d233a6a3596e7c21c6ca4f7afd07b239b30ee0bde4291b0d4999a3e8e445d286ff02356bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLCE2DE.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit