c22bbed39520dcd7570bb708d495e04088958d890b1fbbfa6075381ab4841d30

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89ef7d73146fbb7a9ee37e8da7659edd_JaffaCakes118.exe
Size

496KB
MD5

89ef7d73146fbb7a9ee37e8da7659edd
SHA1

9123211c652b3e061208876b5251c48a4d00688a
SHA256

c22bbed39520dcd7570bb708d495e04088958d890b1fbbfa6075381ab4841d30
SHA512

0920006447194f83dc7441e0baacd572954c520171cfa7871222c9278e11e9205a01a5eecf2969b6f7150475224ff0eff9539eea1bc37c3cf2c77d0d2101d379
SSDEEP

12288:v3NmZyDSPE8MDxbd7t3I7ABtZCwPP7plD+kqmjuX4FG:v3Nqwl8Yxbpt3I7AFC2PtlFjDG

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89ef7d73146fbb7a9ee37e8da7659edd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1992	3932	89ef7d73146fbb7a9ee37e8da7659edd_JaffaCakes118.exe	86
PID 3932 wrote to memory of 1992	3932	89ef7d73146fbb7a9ee37e8da7659edd_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\89ef7d73146fbb7a9ee37e8da7659edd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89ef7d73146fbb7a9ee37e8da7659edd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3932-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3932-1-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/3932-2-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3932-3-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3932-5-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/3932-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download