9ced1526a0ec526551b5460bc6f0887067f0c721fde0b5a14d29a3b44e0c8e87

Analysis

max time kernel
143s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
Size

955KB
MD5

8b7606abdf9cc93c1a3be44782bf4009
SHA1

0813f039cfcca6a6d642c632ab9d99403ed3b6bf
SHA256

9ced1526a0ec526551b5460bc6f0887067f0c721fde0b5a14d29a3b44e0c8e87
SHA512

b2ebb14e02500abefe8969925f7d39eab1d8eb1691b7e93f7184d919f50753a5a4ef4b63868b25ab0d875eb7c62bdf42fa918cec0e29a0ce7a2dc2d427607e5c
SSDEEP

12288:Tuh4yvH9UVz/IMrY3Lm8J2K78t/EdNWl/6qqKzaOvoJpaz/g/J/vVWyM:Ch1+zfQet/d/6qqKH8az/g/J/NWy

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1428	4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe	106
PID 4028 wrote to memory of 1428	4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe	106
PID 4028 wrote to memory of 1428	4028	8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe	106

C:\Users\Admin\AppData\Local\Temp\8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b7606abdf9cc93c1a3be44782bf4009_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\rmeslf.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\rmeslf.bat

Filesize
232B

MD5
30e26685ea0451b93ff30447516bb80e

SHA1
df3c79f95672db0597f1474aff1383d93b2b5c05

SHA256
ce357e2576d0b1f0469f517f03b09dd141fc5a961b1b67b3e07fc343a7a8d130

SHA512
f9df2f8a06bb03594e7edda6becabfb72932fb30392c2a3113a70669acb5fd5653f50f63e0d9617c218b2d3f6ba58b907ff14ce1f5f5940dd6ec80cebb5ec688

Download Submit