36b36af7a1bb9dac92c33ce73545b2d6b7991147669d8ee52be41a4292fb062d

Analysis

max time kernel
141s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe
Size

44KB
MD5

9602303e09b6d71564f1c7f2798bcefb
SHA1

1465dfd3d0b6d2fd1026d427fdd771f7cc5baf5d
SHA256

36b36af7a1bb9dac92c33ce73545b2d6b7991147669d8ee52be41a4292fb062d
SHA512

86e40951ebf499a4f7ae3372b18b4f2c08e528b726cd3ff940caf0f7804343a23ad17ae54dc320b780deb3153cb726b1123ffc14995d6f86d0f74ac7e39931b9
SSDEEP

768:hConZrk9TA9n8MLJajJN6tVqqBLWKg/S7yHTOfWzL8zF21IFPfpTrZNXohVR:YoeAeMokNe/S7bfWqF/BhTdNXa

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1196	opeB508.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1196	4884	9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe	87
PID 4884 wrote to memory of 1196	4884	9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe	87
PID 4884 wrote to memory of 1196	4884	9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9602303e09b6d71564f1c7f2798bcefb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\opeB508.exe
  "C:\Users\Admin\AppData\Local\Temp\opeB508.exe"
  2⤵
  - Executes dropped EXE
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\opeB508.exe

Filesize
45KB

MD5
43c73ea2871d383664fb447954b7135b

SHA1
0ca93d8223037e42243389ac2fd52b16c5eb4b8e

SHA256
4cdd50d85d79c65e2b812308eae3e5204c5e99ffe66bf019d5409b93ed032d13

SHA512
7b93c3b110aed515f571228edb6923b0c80b89698fb14dc4f53327424e0db3db765b657f191f22385c0a824980c81cdf17aed4e46b6adde8c09d82f54c2581f1

Download Submit
memory/4884-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4884-11-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download