212466da533bcba7b5d9ce3c4a9e0a35f1b1d96aa84e6fa9b3537063a4f25453

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe
Size

552KB
MD5

81d5e7a51d597cf4689e27d1c8048154
SHA1

5fba374766cad3bece930f80b2e485f279dd2d74
SHA256

212466da533bcba7b5d9ce3c4a9e0a35f1b1d96aa84e6fa9b3537063a4f25453
SHA512

07b3dea11db834b4920a1886909c178a5146af7aeeb99447b3a1353c0d44e51269b8ea7bfc08330c3a783c93f1fc141169a4b0455a46777b89b3e7e9e11febb7
SSDEEP

12288:5fH2pohMieQkyrKD7yyTwhVbVO3ZnGTHx6:FWWNvkya750oJGT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2940	milian.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4384	4960	WerFault.exe	87

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 4960	2940	milian.exe	87

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\milian.exe	81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe
File opened for modification	C:\Windows\milian.exe	81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	milian.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2676	1284	81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe	88
PID 1284 wrote to memory of 2676	1284	81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe	88
PID 1284 wrote to memory of 2676	1284	81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe	88
PID 2940 wrote to memory of 4960	2940	milian.exe	87
PID 2940 wrote to memory of 4960	2940	milian.exe	87
PID 2940 wrote to memory of 4960	2940	milian.exe	87
PID 2940 wrote to memory of 4960	2940	milian.exe	87
PID 2940 wrote to memory of 4960	2940	milian.exe	87

C:\Users\Admin\AppData\Local\Temp\81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81d5e7a51d597cf4689e27d1c8048154_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\9422.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676

C:\Windows\milian.exe
C:\Windows\milian.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 825
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 12
    3⤵
    - Program crash
    PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9422.bat

Filesize
226B

MD5
cab54ea9cba8e529c866fe0e47dae3e1

SHA1
7b6f81c4c46035dddad9f4fd0a226c66781e0b99

SHA256
6aab173751a44f2206189e1f43535e652d4ccc8f0b4a62bfa3080297ba010169

SHA512
d4f9deb86757970092cd797a185329fc03e8510c0e24672158e696083bb6bcc16687baaa0fb50971c79c2866177e2ab3506074a46236c267f601b62b6d8dfef7

Download Submit
C:\Windows\milian.exe

Filesize
552KB

MD5
81d5e7a51d597cf4689e27d1c8048154

SHA1
5fba374766cad3bece930f80b2e485f279dd2d74

SHA256
212466da533bcba7b5d9ce3c4a9e0a35f1b1d96aa84e6fa9b3537063a4f25453

SHA512
07b3dea11db834b4920a1886909c178a5146af7aeeb99447b3a1353c0d44e51269b8ea7bfc08330c3a783c93f1fc141169a4b0455a46777b89b3e7e9e11febb7

Download Submit
memory/1284-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1284-10-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2940-8-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2940-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4960-9-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download