137807f68fb2ec3996e1da35c900bf41f5c6991353b4b65c2d9ad80c7c8aac19

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe
Size

79KB
MD5

8854ea5f44cb7c01f10593de0a0efa4f
SHA1

6bdd98e4a2c62d26c52e9e794a637611602f1b4a
SHA256

137807f68fb2ec3996e1da35c900bf41f5c6991353b4b65c2d9ad80c7c8aac19
SHA512

5d3f8c9b437aa9cd3dfd0ac54a79c72e1be937391fdf4712debd1bd9558150054a2d889a938e3bef87c86e7f710f44f1e0ec84f02c3858a92e1ea6d21ad676a4
SSDEEP

768:A9J8NowRheD8/3rJiUqyet8w9abyzm5E50kyoVonvzRiZljBwiwo5sW3LhaNIC4a:A9wvQUreUbyzABq2mLha2OZtg/27I/I

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2696	2348	8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2696	2348	8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2696	2348	8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2696	2348	8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2656	2696	cmd.exe	32
PID 2696 wrote to memory of 2656	2696	cmd.exe	32
PID 2696 wrote to memory of 2656	2696	cmd.exe	32
PID 2696 wrote to memory of 2656	2696	cmd.exe	32
PID 2656 wrote to memory of 2768	2656	net.exe	33
PID 2656 wrote to memory of 2768	2656	net.exe	33
PID 2656 wrote to memory of 2768	2656	net.exe	33
PID 2656 wrote to memory of 2768	2656	net.exe	33
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2696 wrote to memory of 2824	2696	cmd.exe	34
PID 2824 wrote to memory of 2752	2824	net.exe	35
PID 2824 wrote to memory of 2752	2824	net.exe	35
PID 2824 wrote to memory of 2752	2824	net.exe	35
PID 2824 wrote to memory of 2752	2824	net.exe	35
PID 2696 wrote to memory of 2800	2696	cmd.exe	36
PID 2696 wrote to memory of 2800	2696	cmd.exe	36
PID 2696 wrote to memory of 2800	2696	cmd.exe	36
PID 2696 wrote to memory of 2800	2696	cmd.exe	36
PID 2800 wrote to memory of 2788	2800	net.exe	37
PID 2800 wrote to memory of 2788	2800	net.exe	37
PID 2800 wrote to memory of 2788	2800	net.exe	37
PID 2800 wrote to memory of 2788	2800	net.exe	37
PID 2696 wrote to memory of 2744	2696	cmd.exe	38
PID 2696 wrote to memory of 2744	2696	cmd.exe	38
PID 2696 wrote to memory of 2744	2696	cmd.exe	38
PID 2696 wrote to memory of 2744	2696	cmd.exe	38
PID 2744 wrote to memory of 2796	2744	net.exe	39
PID 2744 wrote to memory of 2796	2744	net.exe	39
PID 2744 wrote to memory of 2796	2744	net.exe	39
PID 2744 wrote to memory of 2796	2744	net.exe	39

C:\Users\Admin\AppData\Local\Temp\8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~147A.bat "C:\Users\Admin\AppData\Local\Temp\8854ea5f44cb7c01f10593de0a0efa4f_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\net.exe
    net user admin KeKs
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user admin KeKs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
- - C:\Windows\SysWOW64\net.exe
    net user administrator KeKs
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user administrator KeKs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Windows\SysWOW64\net.exe
    net user αΣ∞Φφ KeKs
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user αΣ∞Φφ KeKs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
- - C:\Windows\SysWOW64\net.exe
    net user αΣ∞ΦφΦ±≥≡α≥ε≡ KeKs
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user αΣ∞ΦφΦ±≥≡α≥ε≡ KeKs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~147A.bat

Filesize
108B

MD5
7f8a54998d981b64d59187251392b866

SHA1
bc95566dcb57536e8315310f865793af16ad3e61

SHA256
a19db7b7d75601b1f29479a0d938392fc7ee8bbbe46ad413c4396dafd87a831a

SHA512
ec6e57ce9300f5357820164e02ddd4933b30c1090e228a4cdb69f7170c82a56005ebedc94483bf7ecb9c7a69dd8603eda2299a7d329d604868257c58ca01e730

Download Submit
memory/2348-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download