28613275d38d891092475115bbd330332d2ec29c6f956c46c60886941a8cde52

Analysis

max time kernel
141s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 01:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8272511481070c083d67fb5abd5f8c69_JaffaCakes118.exe
Size

4.8MB
MD5

8272511481070c083d67fb5abd5f8c69
SHA1

63f90dd58a2a9054b36672c3fba3a1b5d3ff60ad
SHA256

28613275d38d891092475115bbd330332d2ec29c6f956c46c60886941a8cde52
SHA512

8d7a98f0119f90035e7b55de28d5af65c476c7ffabf68ecf31ba8be012f4142e5827c3e373ae2bb6ca4061f59d53104f30e14754ed1a5d6ff1ef2ef2b6eb8749
SSDEEP

98304:I6xLLc6RWEqh4ADO5yKlKmogxsNpufOQUgOqLmRXTMTash1bEqL4pkySpc7:ICv/0jDdKlKlgGfufOQ97np1EqiJSW7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3064	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8272511481070c083d67fb5abd5f8c69_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3064	4296	8272511481070c083d67fb5abd5f8c69_JaffaCakes118.exe	86
PID 4296 wrote to memory of 3064	4296	8272511481070c083d67fb5abd5f8c69_JaffaCakes118.exe	86
PID 4296 wrote to memory of 3064	4296	8272511481070c083d67fb5abd5f8c69_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\8272511481070c083d67fb5abd5f8c69_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8272511481070c083d67fb5abd5f8c69_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\H27MS.TMP\setup.exe
  C:\Users\Admin\AppData\Local\Temp\H27MS.TMP\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H27MS.TMP\gdu.dll

Filesize
80KB

MD5
ffdc1f3ff2ed00de405616b0a4a00c97

SHA1
b3f4629fbb46d142b5033c457f29c659a70ba386

SHA256
673465e295981d3effd067f01d6528ee38d0b7eb70f37aa58ce507d2667bdf34

SHA512
b745b263c8c203b77b7a04dd9be1fb928640aa065bd38ecce3b8b655bff5f4501dd0fb15682eef14ae940152dd0ce5333042b318f766227602b7498fc4905fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\H27MS.TMP\setup.exe

Filesize
506KB

MD5
bbdc3243420b0f91b18770b44e8572ca

SHA1
633e564becdf109c3525a73f8e57d9df69dd26ff

SHA256
0c8191977b11cdf2a8a53d516e64ecf110cda29108cdba67489555761cb2f36e

SHA512
6eecf2e1c0e65771567c683adfe446aaa021dae944b4a55f3a1cb6b3016b5f6b6e41a22655641dedb28e1e91bc39736ba0877d814142848804ba57b4e3d4f9db

Download Submit
memory/3064-53-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3064-55-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3064-58-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/4296-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download