164bccd8ac34749b2a5144daf6f28541e21c0b5729e49fe4eb5cd259d6119f4d

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 10:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe
Size

200KB
MD5

85ba1c81d419d0743870fa21c84114ee
SHA1

61904f45397d94457b04baf540bacb9128ee4475
SHA256

164bccd8ac34749b2a5144daf6f28541e21c0b5729e49fe4eb5cd259d6119f4d
SHA512

214a08f9dcf81a9066c20c9dc1d28a84c76bb2b045e1d3eb28b06d2893c574cc5af0198617009c5bef803d352b5f6679a8447949468976b807c6402820453f98
SSDEEP

3072:bHHyIXRTzLgDsdCtykxdaA3dYCvhOtJYVQcA5fM0LVOl5xKYWgwQxrlUPC2HoC:bhNpg1dagdYhmLpqOl5x+5QT49oC

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe
3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe
3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 908	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	84
PID 3812 wrote to memory of 908	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	84
PID 3812 wrote to memory of 908	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	84
PID 3812 wrote to memory of 2528	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	89
PID 3812 wrote to memory of 2528	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	89
PID 3812 wrote to memory of 2528	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	89
PID 3812 wrote to memory of 464	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	90
PID 3812 wrote to memory of 464	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	90
PID 3812 wrote to memory of 464	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	90
PID 3812 wrote to memory of 4848	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	92
PID 3812 wrote to memory of 4848	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	92
PID 3812 wrote to memory of 4848	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	92
PID 3812 wrote to memory of 4524	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	93
PID 3812 wrote to memory of 4524	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	93
PID 3812 wrote to memory of 4524	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	93
PID 3812 wrote to memory of 1152	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	94
PID 3812 wrote to memory of 1152	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	94
PID 3812 wrote to memory of 1152	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	94
PID 3812 wrote to memory of 3540	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	95
PID 3812 wrote to memory of 3540	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	95
PID 3812 wrote to memory of 3540	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	95
PID 3812 wrote to memory of 3172	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	96
PID 3812 wrote to memory of 3172	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	96
PID 3812 wrote to memory of 3172	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	96
PID 3812 wrote to memory of 3984	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	97
PID 3812 wrote to memory of 3984	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	97
PID 3812 wrote to memory of 3984	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	97
PID 3812 wrote to memory of 2116	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	99
PID 3812 wrote to memory of 2116	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	99
PID 3812 wrote to memory of 2116	3812	85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85ba1c81d419d0743870fa21c84114ee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinC365.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:908
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF958.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinE7B2.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin20C2.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF958.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin15E6.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinBC54.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3540
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin20C2.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin48C6.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin7A78.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\1F29CB09\cfg\1.ini

Filesize
1KB

MD5
8150f458ed6fb9b1db4e5cfa57a1a281

SHA1
6e5726854d28687b560d7fdcb5c782c425c7dfb9

SHA256
4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896

SHA512
4cc6a112673aef8bb8bb8a385c26791b805d43bb707b509880e894f1c83bab4e16f13de187036c5f660c3bec1d286258396b7bde65c5d7945c5019665196818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F29CB09\Setup.exe

Filesize
15KB

MD5
011c08dab1dd0bad6960ddabba460c50

SHA1
0864a756ec8bf0e51cce91cff93c7c2c404208da

SHA256
2a095e2ae908ac5e5e3268b5f5fd12752e92c6d46b847d324c9cae67174a1c10

SHA512
db7ded3195156aa835cc32f2e8676e2c8f7c2449a56fd823c3f29ec5f200deb2e4389dee9ec3c96d3c27aa01d80d5cff8d8ed39f7592b955ba484ae90aacc165

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F29CB09\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F29CB09\_Setup.dll

Filesize
80KB

MD5
4e4cfe1f6ed8268a15f78e0eb34eebca

SHA1
bd656a8ca9dc962ada11e20bd35a89e80f2d69d7

SHA256
e9342cb066d047db074cad795d9add7a51fc2a696ff67de595baf4ad416f2979

SHA512
6f4bee27225fa0e4f717e357100799ecdec870d743da3fc23c4796f0fcb55ca210cdd6b4e01bdd2406bbf0c7c1841ae36a8dbb98180203b79c47d5c190a32a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F29CB09\_Setupx.dll

Filesize
16KB

MD5
a3e3a7c55dac05898f398f0ef4ef16fd

SHA1
2245eebc8ef1d3c1ae7f395ce168b0a93fb0f016

SHA256
25e262cf0f72f8e8bcd0bc6f4cabcd8dcf397ac027cce46ce8ac19511afabffe

SHA512
e7d8e21b6f40caccf519ba27895c09ae07ade7c82982265c249228ed0bd18179b6e25dedf2596e6be60db782d80cfeb014c43c5d25757c156d54fd5ae4193d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-0EE4.dll

Filesize
245KB

MD5
0ad3f6b76368a27813d3d941458bafc2

SHA1
ce21514b78dd67d8d9562b3983abf8755a8c0a88

SHA256
8fbd7e9bcd9f281aed0f5e8d06c821dd2b33fce0ddc17b864e0ceca6b90b31b2

SHA512
c75210165ecf296ba4d04cbab2323118afbab9ddb420b8309cf744b3273485cb1e152027fe35354047c4c0bd0d83ec17a73c8eea8575bc0a4714c98cc5a478b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin15E6.vbs

Filesize
419B

MD5
01ce1a805b7e070911ecd270193387ea

SHA1
5a30c6f67f1f2a088973444b4e3887bc0347c7f0

SHA256
73e324fb9997b24506a3a3dbeab2347cc3736698b25d974dc3eb717e03c8a696

SHA512
cee8535203eed82452a4d0086727c9bc646b85574f519057ed0fb2c572dba3d3987af720b12daa60559f81f93c3bea4dc985cc9341349941cd0ae18e1fd69c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin20C2.vbs

Filesize
2KB

MD5
e33c81d77ffb3c64f8f3b171e63d8eaa

SHA1
39ad39dde4e76a0b96c5a55ad886b7def60105d9

SHA256
56afb855ac632126577de0109eb1af9a46e634b9312aaded7319ee5d66798925

SHA512
444db2948165e123d9d117fac18a024f654d2a6319b345b586c3025e9922e8f414db78bc8d813d144dadac41d57b1fb8865b4a09a0cbfd867695bfe688cc87be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin48C6.bat

Filesize
50B

MD5
9760c36acf96d617525e822a03d0946e

SHA1
d3ff83c4c72a3501b5fd0683f95999b6a74d15e9

SHA256
7a71e7aa323949961b37f53007c9f3e59c57c2b495950b263f06943df3a447e9

SHA512
05b6b9c821818e0d209925f192e3c0b4bcbcf52b7fdbb325d0502ef90af8698d8375046f5c32b0dcd88f4aad0dc01008030e74b062098c04ecd48205719f52c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin7A78.bat

Filesize
46B

MD5
d7a08ba5c66a7b5e73d71df771e23339

SHA1
7d8f6d8dcd5ae121ecb3e2a63acbe531d8281ae8

SHA256
a68a69ca78416230aa2dcd9c766c3d899071f686df7f3eb0cc9080dad2bd09ec

SHA512
08b3ba75008c1f44e82b9db90bb818404f308be7ceab0d7ec9f5030e5385768c5d0750528e6633533df18fed01a2205e2ac554f2b18c4162dcc1f5251018a8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinBC54.vbs

Filesize
819B

MD5
fc4c6915dbb3e44dccd6064c5826b5d9

SHA1
06f49a7c02e41329bf491591fc57dd162169a561

SHA256
cc87d9af333a96655adf048a46fa93724d78eb5bcaf1137f6fc49b5b3fce89ae

SHA512
1a37777adc73b76e78b29e9a12ef84dbdc01e81548e30b27ebacd6525aa6153e4db2e7ee8b2ce39279bfff148f657b7cc22159371452a9ceec4aca39d3dbd928

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinC365.bat

Filesize
44B

MD5
9435760bc788dcacec22e578d235b928

SHA1
93ee223b522d0655c422eb9aa52a06eb2941b001

SHA256
2ae0ea156737d50ad54aa8875a15060237157cc0b019da3fe53cfb3eeece7c3f

SHA512
feddd965b91501f13835b25e88da28bbc16c6a2d3a94521d4a0806570f3a2fb40e7122dd42ace97c9469941d89a2d9d97361539eea2a50576ee040fbc16175ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinE7B2.vbs

Filesize
1KB

MD5
7bab507e04037cf5adf03bcab6a15824

SHA1
aecc10b682e525b3c0ed35594cb550d447237b68

SHA256
8b53551a8610ffe9f81060ee25f5a3c146193a700acbf5c6a102fdad8667ba33

SHA512
a5c635edb9176b9f867a5564e4ad9f16639a314100f4a2035b3084c9d003eefb4aef054e5105a35d1d4dcca0901801ec9aa0000459a55cd77cdc8b46f40b2938

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinF958.vbs

Filesize
304B

MD5
153ff27f5f90a4422fdbfa31f9978d3b

SHA1
3c6a116ed84007626cbb69bc2460ccb7ba8895d1

SHA256
f8acbdd4c9a780f437fafbe494acd1743f8f234226e4cc5d6ec6dbc7bf28a089

SHA512
372fab133223e3e7baf229e0f668d8a390fe1b39a6cce593e4d104fd74a147cedf532f18a8c39e5891357cfcae8447c537e9e1d0e6bc0fd28c546465c36719f6

Download Submit