2e0eef7909ae3b244e858daafda0ca5a2eccc647ffca05c7424b21abd97ca19b

Analysis

max time kernel
140s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe
Size

57KB
MD5

8afdc81cb1d5a409368e4117eeeaca42
SHA1

611f2d1feea7de9cffb79041c13c96baecc142bc
SHA256

2e0eef7909ae3b244e858daafda0ca5a2eccc647ffca05c7424b21abd97ca19b
SHA512

4875bc1e47f07bf19f0b9c6436f7a70c12e91796ba16c07cfde6eeffba47faed0d90e2ea00ec5a60251b1d10a7fd4426537cd312b45f7c83f91dcee388494af7
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOOI:71Tzy48untU8fOMEI3jyYfPiuOI

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexpress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2440	2824	8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe	92
PID 2824 wrote to memory of 2440	2824	8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe	92
PID 2824 wrote to memory of 2440	2824	8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe	92
PID 2440 wrote to memory of 3524	2440	cmd.exe	93
PID 2440 wrote to memory of 3524	2440	cmd.exe	93
PID 2440 wrote to memory of 3524	2440	cmd.exe	93
PID 3524 wrote to memory of 5080	3524	iexpress.exe	94
PID 3524 wrote to memory of 5080	3524	iexpress.exe	94
PID 3524 wrote to memory of 5080	3524	iexpress.exe	94

C:\Users\Admin\AppData\Local\Temp\8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6BA6.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\8afdc81cb1d5a409368e4117eeeaca42_JaffaCakes118.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4200,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6BA6.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
57KB

MD5
58a248004056f97bc08ac8f6c08b7e57

SHA1
c7185c8d31804c5a39aa969f0d416cf13a33ab81

SHA256
c5802f58f555eae7be6656c0552910a6a4cbe63e14489656258f993b0e61ce23

SHA512
bc753661ac5327890561245229651962898e63d567b0d71861f381fd3c25961673456b83c54121c5f7ea16b49c82a52242be70833fa3f39852f0a86807538ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit