88cdfaa8b2dc5e66427eac24b1bb62dbf34b2f95c442424a68bc9cb7fc77e120

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 22:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe
Size

161KB
MD5

8c44c0ab412eb6cf61dbfb1882eecf23
SHA1

27760558fe534b1f02748b49299241469464becf
SHA256

88cdfaa8b2dc5e66427eac24b1bb62dbf34b2f95c442424a68bc9cb7fc77e120
SHA512

dda58b2bc563cd935a5e152d6ce8aa11cd5bcbe0f9e5699247a23ea97cab21706e93d69e1e7c51217c2364c1a5f486c005143caefc47c147e3d9f2f4d65015eb
SSDEEP

1536:IeAZLLL1GXAQ5k7aGSV4bgvGCMU9zkBVitnWyKpa4Gk/lnETHrLOxWFUzz0O177w:dQB7eefitnWyKDGk/lnAHOiw1Llo

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3064	2488	8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe	30
PID 2488 wrote to memory of 3064	2488	8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe	30
PID 2488 wrote to memory of 3064	2488	8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe	30
PID 2488 wrote to memory of 3064	2488	8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c44c0ab412eb6cf61dbfb1882eecf23_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe "C:\Users\Admin\AppData\Local\Temp\F del.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F del.vbs

Filesize
736B

MD5
d6eca7c062b6d5b67978b23698d6856d

SHA1
1deed17f724af7d470dfbe90a7c84fb5bd6a7917

SHA256
7d05c7f65e8704e3d889bcda64a93e084f6b4c9ef4f69d7151c0944d6f59bad2

SHA512
bdbf633fdd3786e5af51bee9ac794bc48614dae8a29b4610080c1b15315ed66a824c312bb916d991eba5dec4684b5c72e83a2a3a64af74b1bf9830071c23f968

Download Submit