75fd0ad50a5457a647d2751daf98a680ba7f2902117c65cad450ea2bfec790be

Analysis

max time kernel
146s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 18:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8b6be1f029feb5c72b627b54824e4a48_JaffaCakes118.exe
Size

20KB
MD5

8b6be1f029feb5c72b627b54824e4a48
SHA1

e7f35702b0aa2b82dd1d53964f1c9ebc82b9abfe
SHA256

75fd0ad50a5457a647d2751daf98a680ba7f2902117c65cad450ea2bfec790be
SHA512

634725cf681f14897947286462a911718df847d49f95b10a7914161704977509f1da7bf1dfce1fcc2446011ccc09826f31cffb3014c2f701aa58474b6b79d9fd
SSDEEP

384:45WsEe22Qpd/n22Ku+oL3/GKHkJyfdRIjvr5aZRip+6aB5UtheCgP:BsExfpdfBKaj2qIjzAgp+L54eCi

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/980-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/980-3-0x0000000000400000-0x000000000041C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b6be1f029feb5c72b627b54824e4a48_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 4764	980	8b6be1f029feb5c72b627b54824e4a48_JaffaCakes118.exe	83
PID 980 wrote to memory of 4764	980	8b6be1f029feb5c72b627b54824e4a48_JaffaCakes118.exe	83
PID 980 wrote to memory of 4764	980	8b6be1f029feb5c72b627b54824e4a48_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\8b6be1f029feb5c72b627b54824e4a48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b6be1f029feb5c72b627b54824e4a48_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe "C:\Users\Admin\AppData\Local\Temp\hackgp.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hackgp.vbs

Filesize
581B

MD5
37782bd4a42915ca96705c69dc2ce47f

SHA1
30f7319e107e89397ee798112329eff82cbdc8aa

SHA256
cbdb2703fe4f76948562a0a9a0256eb7dabc663f59a2dd83f01a75ba64a8df69

SHA512
82cbf5c8addf8bf14b2013b54e722c9e7f0a6cf933e50d53335ddfe268bcd75b7eb4ea171ba0499e9a6be29f0c75549254eafae6327d81705ab5b9bfee8f707e

Download Submit
memory/980-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/980-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download