c9a0873b7da29c44c1e6d61a765477fe0d87910a50a429cdab691a860f32145d

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a2f85b05fb73759c7c8ab3dd139cd818_JaffaCakes118.exe
Size

71KB
MD5

a2f85b05fb73759c7c8ab3dd139cd818
SHA1

68c366f8ffb33cf1857189c371b9680ef84775f1
SHA256

c9a0873b7da29c44c1e6d61a765477fe0d87910a50a429cdab691a860f32145d
SHA512

e9a6748d8fe1129e942fdbff736d1c5b0e10d164bd64cc00d39e8e60d3b40212ee1e7d46844966be45837878f9e65ccf232e67f10e3a7ea3d93c19741b27ae02
SSDEEP

1536:Vrl+HMtKLhTszE0lvJqXb9jl4MWxzNJLUbKvfZOHW:Vrl+HMjAQIVl4tNJLFOHW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3636	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
3636	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2f85b05fb73759c7c8ab3dd139cd818_JaffaCakes118.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002342b-4.dat	nsis_installer_1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 3636	2504	a2f85b05fb73759c7c8ab3dd139cd818_JaffaCakes118.exe	84
PID 2504 wrote to memory of 3636	2504	a2f85b05fb73759c7c8ab3dd139cd818_JaffaCakes118.exe	84
PID 2504 wrote to memory of 3636	2504	a2f85b05fb73759c7c8ab3dd139cd818_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\a2f85b05fb73759c7c8ab3dd139cd818_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2f85b05fb73759c7c8ab3dd139cd818_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsm7EE6.tmp\LangDLL.dll

Filesize
5KB

MD5
51e7fd0885b7d7bf6edc030e17145950

SHA1
be7a62d254f897789cde5b9a77a8b3b0add6d141

SHA256
1a56dfe0bdae779b40d11b9caee5c96e81b9d69b0d45be7c7b11717e1db8c5a5

SHA512
a57c57a3d01839df10ab669bead1d757ef85e4a35cac65a3a147c5e1adaccaae52bb355ed8d4d460a6698cbda3ee8fba395875739670c8cf57884f66306d011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
71KB

MD5
a2f85b05fb73759c7c8ab3dd139cd818

SHA1
68c366f8ffb33cf1857189c371b9680ef84775f1

SHA256
c9a0873b7da29c44c1e6d61a765477fe0d87910a50a429cdab691a860f32145d

SHA512
e9a6748d8fe1129e942fdbff736d1c5b0e10d164bd64cc00d39e8e60d3b40212ee1e7d46844966be45837878f9e65ccf232e67f10e3a7ea3d93c19741b27ae02

Download Submit