5f30be3e1f1b9559005193cd21fb86cd24ce6aa083c98d2fbcc79fd935ab0c3d

Analysis

max time kernel
147s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe
Size

284KB
MD5

88db50cb51a16c82386c102af152f06d
SHA1

36040aad488ea4984ed42253dd3488ba0761472d
SHA256

5f30be3e1f1b9559005193cd21fb86cd24ce6aa083c98d2fbcc79fd935ab0c3d
SHA512

1e5f1e0cd3cbc7371c1ff9542c0b7d366b80abeedbd0f5e06542be1c3920280a2bf05b1dfbf1674619ea3ff7fffed427f1a0a9d2ab4b1b97c1f1fb42acc096c2
SSDEEP

6144:IAMN3hodL2Pnqo5xXCBnebzdTtSF4Q9inw0CeCEBf:dMNmF2vqWXEnebz5tU4Cinw2CEBf

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2400	88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2540	2400	88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe	86
PID 2400 wrote to memory of 2540	2400	88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe	86
PID 2400 wrote to memory of 2540	2400	88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe	86
PID 2540 wrote to memory of 1944	2540	csc.exe	89
PID 2540 wrote to memory of 1944	2540	csc.exe	89
PID 2540 wrote to memory of 1944	2540	csc.exe	89

C:\Users\Admin\AppData\Local\Temp\88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88db50cb51a16c82386c102af152f06d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oeu8qqdc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES759E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC759D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES759E.tmp

Filesize
1KB

MD5
5ef1915263ccbd6a9e4e491ec02d02b2

SHA1
6532378e46b99aa2e6e16af1212eeeed7735f01f

SHA256
20cd1f895406051510716f31a974f7b75ad3c17990a4101df7195d5fedecc320

SHA512
0b9120ae59cc94c1ca67b96f5c29671bf4db9076c1477f4c1198c4581dd33782aacf5d21b75e3d165091a802c159c247901df39149b18be0ba2c164645a41ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oeu8qqdc.dll

Filesize
5KB

MD5
5cb9eda226b753942c95a1500499381a

SHA1
a6b9168f8a812999b57b4965c303055f2d7f00ce

SHA256
74e339764276c109ec3f82efaccd147800f0da7137d190a80a8714b6776359a1

SHA512
ea8734ce478531d9f41047058c331e60e01c6509e0a6047e5e62d4d5f1ab659b07a2334257db85eb566484601d121c65ca4ba61716e235d5bf3c3d69f1494082

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC759D.tmp

Filesize
652B

MD5
2c8bd7bc11680c8167a954a4f9a0060e

SHA1
2c60d4c24009de44d502d5a60ea4b817507bba78

SHA256
61c5f34449006750d4282fdbe70967249c5c23156aa37a89e9e68a5fcd1f6d22

SHA512
101a878d064092649fffb864a5702648cdbd7062e339014cb49ec65ba7d8b7c2e08a19d4edb63d9fb33c5e63e4d6439b2b1252993c80ba914fda7b6d08d4fee4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oeu8qqdc.0.cs

Filesize
4KB

MD5
6830431c6b49f72eaca4b2888a0ddaa9

SHA1
502083f68f991bfcfd771a7ba5bd508c2834591c

SHA256
ae57e8973a24563582d571743f0339d9347ffc82ed716d12a994694c2b673bf8

SHA512
939fa8cb2ca518904dea91b9612c53d833b9cf11e393fb376c1b0d00734e52b33708a6302e04bf15cb6a8e745475163766dec5a29ac265c914d0c286a170b35a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oeu8qqdc.cmdline

Filesize
206B

MD5
3a76e070ba809aecb73c549865518c76

SHA1
5721287088c82f58c45fff0a5c75732f2fb456bd

SHA256
6baeea952b894496efa0555ef989e8a0ef7c61614715263c76858c7f0c346603

SHA512
10b2a02bdca2428cc5eb365bcb355b83db57dd5b179f81bb92fd80d195c33a76ce77017f2a13c64a617c6988d4f5604db83c6580d9bd6632f8f5434b8722b85d

Download Submit
memory/2400-0-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2400-2-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2400-19-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2540-10-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2540-15-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download