34dfa393420e082474bfc01a61776b2c9bfc090608b17b29288da0b03f6bf506

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
Size

84KB
MD5

8800be9096fe4872e59265cd9a23b173
SHA1

18908f602d158554e453cfdb8d5998303f02bddc
SHA256

34dfa393420e082474bfc01a61776b2c9bfc090608b17b29288da0b03f6bf506
SHA512

970520c7eb12e196621c1efafd81b8f3275cfe0e330f7180818f4e25cef86d649396eec67b402814b99850274f5bee2bcd205a11f7050759bff92b1fa121d183
SSDEEP

1536:6r7R+LVGdm9REBJNMOiyF3O8U44LsLWiFTcS3:u+54m9XIF3zU4YsiiuS3

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4868	Explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
4868	Explorer.exe
4852	explorer.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wdoewdjwgl\8797	Explorer.exe
File opened for modification	C:\Program Files (x86)\Wdoewdjwgl\30402	Explorer.exe
File opened for modification	C:\Program Files (x86)\Wdoewdjwgl\Path.rcd	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
File created	C:\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	Explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe
4868	Explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 4868	1896	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe	86
PID 1896 wrote to memory of 4868	1896	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe	86
PID 1896 wrote to memory of 4868	1896	8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe	86
PID 4868 wrote to memory of 4852	4868	Explorer.exe	87
PID 4868 wrote to memory of 4852	4868	Explorer.exe	87
PID 4868 wrote to memory of 4852	4868	Explorer.exe	87

C:\Users\Admin\AppData\Local\Temp\8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8800be9096fe4872e59265cd9a23b173_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe
  .
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Program Files (x86)\Rqqilq Ngzgykue\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Rqqilq Ngzgykue\Explorer.exe

Filesize
7.5MB

MD5
72411385d6c616154853656d9c3ffa20

SHA1
7b84df0a36b3d7a67ee64a86bab690cf7db945e5

SHA256
22ca294e846cadfb58fae57069def328d76740637bbd7a5af7a1ed37b8724f81

SHA512
91ec411f14eeb6197de9c70f47016b82ad39f43f1bf1c9c5c48c20884e13a39c0f025b9bb478402ba8876abd885caf0580e9e912dcb0815ce4e4836f5c4ff0ee

Download Submit
C:\Program Files (x86)\Wdoewdjwgl\8797

Filesize
11KB

MD5
6372b1b2bfe92ba75673d31da03aedc7

SHA1
df694f6e8d16170fc7721cc5c8504b689deda4a5

SHA256
d1e10a5d79ee2005e8d2a124c101f210fcb2a12895d8eeea09b5be056ad6b48f

SHA512
25e513c75d4a089b87b8138fca2a17c74e68c1921b615f3f2ed61768a36bdc54094a69f4d3fcf65bdf281452f5c5387beb4cf6764b321e56dd18ec9e575dd2a2

Download Submit
C:\Program Files (x86)\Wdoewdjwgl\Path.rcd

Filesize
260B

MD5
53ed2f8a31c80ae9fc436c92fa0f337e

SHA1
05b0d25eae65a540dc0ca5b14d270a71ccbcebdd

SHA256
845027c4ef29fdc552a1b194232bff1baad19f40b2b4fa9b5a8f100d2bf6b43e

SHA512
6843b007482ea212c6c573fbd8a2f8d766c1e813a575680cb596e2e8588df9d4418e15d3f7ef3083fd7875f10639ec6e9431b33b4f407e76322f5bad9fd42f7d

Download Submit