eccaaa48afe1dfbf4bcd8153c9f4944c4fd94e8b65c2be01516a9df4ff748306

Analysis

max time kernel
11s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85039535536f5397306760eba7c101b6_JaffaCakes118.exe
Size

138KB
MD5

85039535536f5397306760eba7c101b6
SHA1

b15223dfc91a6c01849c399aa3f900a1c249f250
SHA256

eccaaa48afe1dfbf4bcd8153c9f4944c4fd94e8b65c2be01516a9df4ff748306
SHA512

df1944cc9740635ec0589fd3f32203416b2decba53e87b9b61f30a4096276e831d88f3e7b17e84eb6dba113f511a3fb4781b37f5cab271e7eb919375aba6ba9a
SSDEEP

3072:OafK4BkujYAuwFK/UJBQeoHLiVJeHiGdBNmOdT2GusIKpvVAOv/5T3Eoj7FHgqi6:Oad0UJbEiGdBNmOdT2GusIKpvVAOv/5d

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85039535536f5397306760eba7c101b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2424	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3012	85039535536f5397306760eba7c101b6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2412	3012	85039535536f5397306760eba7c101b6_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2412	3012	85039535536f5397306760eba7c101b6_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2412	3012	85039535536f5397306760eba7c101b6_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2412	3012	85039535536f5397306760eba7c101b6_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2424	2412	cmd.exe	31
PID 2412 wrote to memory of 2424	2412	cmd.exe	31
PID 2412 wrote to memory of 2424	2412	cmd.exe	31
PID 2412 wrote to memory of 2424	2412	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\85039535536f5397306760eba7c101b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85039535536f5397306760eba7c101b6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads