5a50ab1d17ed84b4e5810969a16670ca3f6b4cd6aa4a28d42d6ae40d9cd0bdd8

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe
Size

224KB
MD5

a2a92f60495182fa83adcb98d7ff5450
SHA1

3fd2e11eaf2c2ff05650dcb86e1ecbebc4106fce
SHA256

5a50ab1d17ed84b4e5810969a16670ca3f6b4cd6aa4a28d42d6ae40d9cd0bdd8
SHA512

157ef4082f5aae41379e0e9baf75b4cbb0370b82474c215779cd11db3b2545d0dc86f8a5a0f1bc6b7942ecd7f5ef52384fa2af773d478a9ed27f4dde62f8fe8b
SSDEEP

3072:Q+oe4kGLuXg9UDt8yIiKSE06osIIkGqrH2D00wMpxp3RWY7K/qc8Acx1JV4BSamo:Q37/qraD3J7K/Dcx3WBS7Sd

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84
PID 1948 wrote to memory of 32	1948	a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a2a92f60495182fa83adcb98d7ff5450_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\contact[1].jsp

Filesize
52B

MD5
15e9bccc4b541d261f5d9f45e8572082

SHA1
e4d02ef21049e0573d1009eeb42ac51555fdd067

SHA256
79e464c6e317df3e3d3b936c5e3fca7a7e56e566c7b19cb66890a0a61c74c6f1

SHA512
192a6872dfbe80854deaf19920c7d24125c9def01f844bd59c21d8aafa3499bb561f40307da9c1c87825b604adcd9c4f1c27786054c2f7755ab3e39c58bf9646

Download Submit
memory/32-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/32-3-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/32-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/32-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/32-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/32-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download