5168b7e8a97dff6d2733dbd9379beebe0b6d7ee3dd905d9bf578e7fee98b33f5

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c055357d0c9e2ab52ad575ea8e91257_JaffaCakes118.exe
Size

2.4MB
MD5

8c055357d0c9e2ab52ad575ea8e91257
SHA1

ab915a8ff513e2e9c642736c2cb39aa0e1e2054a
SHA256

5168b7e8a97dff6d2733dbd9379beebe0b6d7ee3dd905d9bf578e7fee98b33f5
SHA512

7056b21787a767b66d2edd6f33bce5466ecaf7be85e2e8754d681347171d34ab6856924048a5be59332b36a520ae2ea67820b73531b96eccade65b80b8fe9d12
SSDEEP

49152:Kgut12CwvEEAJEyCpXl3G6tjKfql2Ad7D7ovT7dcyrqIlu0:KJ1oLAJEbpXl3G6tjKSZ7ovT7dcyrblX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3568	GLBCBBC.tmp

Loads dropped DLL 1 IoCs

pid	Process
3568	GLBCBBC.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLBCBBC.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c055357d0c9e2ab52ad575ea8e91257_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLBCBBC.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 3568	3320	8c055357d0c9e2ab52ad575ea8e91257_JaffaCakes118.exe	84
PID 3320 wrote to memory of 3568	3320	8c055357d0c9e2ab52ad575ea8e91257_JaffaCakes118.exe	84
PID 3320 wrote to memory of 3568	3320	8c055357d0c9e2ab52ad575ea8e91257_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\8c055357d0c9e2ab52ad575ea8e91257_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c055357d0c9e2ab52ad575ea8e91257_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\GLBCBBC.tmp
  C:\Users\Admin\AppData\Local\Temp\GLBCBBC.tmp 4736 C:\Users\Admin\AppData\Local\Temp\8C0553~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLBCBBC.tmp

Filesize
70KB

MD5
50bfcc165d7538c16954ec15ee1aa9b8

SHA1
4e6c498d5abc8b944ab96af34a07c36cfe48ddce

SHA256
b7cb7337eac0eb572d2e01c8678fbc66c583d74f7e2e56ac4558d4c955e04140

SHA512
2234a4a4f7cd86c7e9194f6a58141c7a146153eb11e57e3c1f1a807282761cd14f89f4e3fa9428cd864ea9fb0aa7360a1f12ca1acca98429aec472ce947a25f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLCCC87.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit