5964f46b3c8180aeeeedc394602e5847aa7681b3e5c70a499e304559942dc0da

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe
Size

163KB
MD5

85fe87bec45932fff695ecf4bf86c7ff
SHA1

1d736427ec7afe7f6ca894ef653634fb7102ffd6
SHA256

5964f46b3c8180aeeeedc394602e5847aa7681b3e5c70a499e304559942dc0da
SHA512

265d35a942ec3e360cfa6b619d8705001aeaaac9cf453820a4ca86bbfd141c8157a72cd94d246d988c3d1f802de9270c37a2c6ae6da3240869956507eb95d2e2
SSDEEP

3072:E6LwjY3F6SdsxNRriZsqBc4tNQXhBL7gDLYIIp4s29nrN:E9jY3gFXEGgN6h1g3YbW9Z

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4772	delso.exe
1100	delso.exe
2576	delso.exe
2908	delso.exe
2528	delso.exe
2000	delso.exe
2584	delso.exe
688	delso.exe
4752	delso.exe
2952	delso.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File created	C:\Windows\SysWOW64\delso.exe	delso.exe
File opened for modification	C:\Windows\SysWOW64\delso.exe	delso.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	delso.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 4772	3820	85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe	84
PID 3820 wrote to memory of 4772	3820	85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe	84
PID 3820 wrote to memory of 4772	3820	85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe	84
PID 4772 wrote to memory of 1100	4772	delso.exe	95
PID 4772 wrote to memory of 1100	4772	delso.exe	95
PID 4772 wrote to memory of 1100	4772	delso.exe	95
PID 1100 wrote to memory of 2576	1100	delso.exe	100
PID 1100 wrote to memory of 2576	1100	delso.exe	100
PID 1100 wrote to memory of 2576	1100	delso.exe	100
PID 2576 wrote to memory of 2908	2576	delso.exe	102
PID 2576 wrote to memory of 2908	2576	delso.exe	102
PID 2576 wrote to memory of 2908	2576	delso.exe	102
PID 2908 wrote to memory of 2528	2908	delso.exe	103
PID 2908 wrote to memory of 2528	2908	delso.exe	103
PID 2908 wrote to memory of 2528	2908	delso.exe	103
PID 2528 wrote to memory of 2000	2528	delso.exe	106
PID 2528 wrote to memory of 2000	2528	delso.exe	106
PID 2528 wrote to memory of 2000	2528	delso.exe	106
PID 2000 wrote to memory of 2584	2000	delso.exe	107
PID 2000 wrote to memory of 2584	2000	delso.exe	107
PID 2000 wrote to memory of 2584	2000	delso.exe	107
PID 2584 wrote to memory of 688	2584	delso.exe	115
PID 2584 wrote to memory of 688	2584	delso.exe	115
PID 2584 wrote to memory of 688	2584	delso.exe	115
PID 688 wrote to memory of 4752	688	delso.exe	116
PID 688 wrote to memory of 4752	688	delso.exe	116
PID 688 wrote to memory of 4752	688	delso.exe	116
PID 4752 wrote to memory of 2952	4752	delso.exe	119
PID 4752 wrote to memory of 2952	4752	delso.exe	119
PID 4752 wrote to memory of 2952	4752	delso.exe	119

C:\Users\Admin\AppData\Local\Temp\85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\SysWOW64\delso.exe
  C:\Windows\system32\delso.exe 1188 "C:\Users\Admin\AppData\Local\Temp\85fe87bec45932fff695ecf4bf86c7ff_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\delso.exe
    C:\Windows\system32\delso.exe 1152 "C:\Windows\SysWOW64\delso.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\delso.exe
      C:\Windows\system32\delso.exe 1128 "C:\Windows\SysWOW64\delso.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\delso.exe
        
        C:\Windows\system32\delso.exe 1120 "C:\Windows\SysWOW64\delso.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\delso.exe
        
        C:\Windows\system32\delso.exe 1124 "C:\Windows\SysWOW64\delso.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\delso.exe
        
        C:\Windows\system32\delso.exe 1140 "C:\Windows\SysWOW64\delso.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\delso.exe
        
        C:\Windows\system32\delso.exe 1132 "C:\Windows\SysWOW64\delso.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\delso.exe
        
        C:\Windows\system32\delso.exe 1136 "C:\Windows\SysWOW64\delso.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\delso.exe
        
        C:\Windows\system32\delso.exe 1144 "C:\Windows\SysWOW64\delso.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\delso.exe
        
        C:\Windows\system32\delso.exe 1156 "C:\Windows\SysWOW64\delso.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delso.exe

Filesize
163KB

MD5
85fe87bec45932fff695ecf4bf86c7ff

SHA1
1d736427ec7afe7f6ca894ef653634fb7102ffd6

SHA256
5964f46b3c8180aeeeedc394602e5847aa7681b3e5c70a499e304559942dc0da

SHA512
265d35a942ec3e360cfa6b619d8705001aeaaac9cf453820a4ca86bbfd141c8157a72cd94d246d988c3d1f802de9270c37a2c6ae6da3240869956507eb95d2e2

Download Submit
memory/688-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/688-33-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1100-13-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1100-11-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2000-28-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2528-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2528-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2576-15-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2576-17-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2584-31-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2908-19-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2908-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2952-41-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3820-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3820-8-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4752-38-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4772-9-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download