8ef840fa379b5ce9b0cf5c3253bae1aa0ea13d1355443bcd9a8a7019b01945f1

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 00:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe
Size

14.8MB
MD5

a09ab78abf08cf291b5873c29ef67e01
SHA1

82825682dacd9661d172720c5d9b0fc9f5134b8e
SHA256

8ef840fa379b5ce9b0cf5c3253bae1aa0ea13d1355443bcd9a8a7019b01945f1
SHA512

e48a048524b8ad463363a4ecea35647e559d48cfe7bba05a4fb8217882615fe106ebf044f075e0dfbcc61295565ab176cb4f3aaebcf40fd005040004643f43ba
SSDEEP

393216:2jdSjXscS1lT3DSPfEEnQCDbLI43Z+s+pYmiNsM2O1D:03POPbnhDbLBpf+pYm8d

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4784	GGExit.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GGExit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4784	2544	a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe	84
PID 2544 wrote to memory of 4784	2544	a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe	84
PID 2544 wrote to memory of 4784	2544	a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a09ab78abf08cf291b5873c29ef67e01_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\nscA559.tmp\GGExit.exe
  "C:\Users\Admin\AppData\Local\Temp\nscA559.tmp\GGExit.exe" 5
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscA559.tmp\GGExit.exe

Filesize
53KB

MD5
e412a8bb18bbfcb9ef67f940066a44f7

SHA1
355e7c5f3db3117f57dd888d38d5ceb19dc897e8

SHA256
7a51c8eb57b797738b54ad42c826882c65f78dbd1064980e5593b54e1408add5

SHA512
e0497089d5f9fffec4754056c8b95ca58fe95274818187d5de3a8c32074d19d837a9b07f7033d805c9f0ec96dcdebb27040454cfebceaa0132c30a6950689da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA559.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA559.tmp\ioSpecial.ini

Filesize
663B

MD5
bb4de9815a10eb00b669acd2447fd3a9

SHA1
7205b9813ffafd856a00fc5ff693263f5c859e1b

SHA256
9a13b3efada04d4d4f1bfc5b8ab353e4cc13a16de24d56b8d92052015f290a96

SHA512
ad2e1854dc280b19e9ce6e729278f7042f31b367383cbf8a690f99a66097eae2bceb52133a52694f68af2c1ac5ed04b430af1f4d7e092404df8bb6d9ee69bd31

Download Submit