edfb7142b18a0f212ff5e7a76b4c76365f9f07c1b0068b683d77acbc91b02946

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe
Size

73KB
MD5

89a7f6e801dbcf2bba5b828c40690547
SHA1

faee54b9baca3cd4835d5b3adb6e050ed3830ebe
SHA256

edfb7142b18a0f212ff5e7a76b4c76365f9f07c1b0068b683d77acbc91b02946
SHA512

3f67c95a1b2a541bd10571f61e8c1fd93f09ef2eceb2e841dd0a14008aad000c7aafb1acc2a924daec93f79eb06fe46b5b85c4b42a2b13c1289bb5e36f5e3feb
SSDEEP

1536:MBej95nc6HSpg+UIqnEixqDnLa95bOVwT2Vf:NLnc6NoqnxqKflT2Vf

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2752	2700	89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2752	2700	89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2752	2700	89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2752	2700	89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a46315.bat "C:\Users\Admin\AppData\Local\Temp\89a7f6e801dbcf2bba5b828c40690547_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a46315.bat

Filesize
77B

MD5
6f26251598924894deb6e567677ce575

SHA1
1e1492f8959e69a180dc5c870ae68627fcd0d839

SHA256
2c0afeec9e0ed88ff3299b3fc014319c92a9479217e7e76c8a366d05f8357705

SHA512
12c96bb6933c11284058427d6e56867e5190d4639eeb241886faa6bee44de4f06df636fb5e5febcfe907143ca48b1b02c0955260b5f4edbe4287fb51f09261f9

Download Submit
memory/2700-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-13-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download