c9513a5ceaab0e59d166dce8aed2306258c0be81a858fcf0fa71893e974cd568

Analysis

max time kernel
131s
max time network
132s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe
Size

3KB
MD5

a5f911ee8464cb4801bfbc43ba6d9e55
SHA1

cf81159426f01f3c066a8d6725576c433ed22b41
SHA256

c9513a5ceaab0e59d166dce8aed2306258c0be81a858fcf0fa71893e974cd568
SHA512

e3c7b2b9fb67aa19a8bede3aa1b46c93cbe355054e1ead0172ca9b517e13499954db6b4cb7e5a5e8cfb61fff9f18a8d37b2719ef0baa23cbdb203ae62122c25d

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2604	a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1628	2604	a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe	40
PID 2604 wrote to memory of 1628	2604	a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe	40
PID 2604 wrote to memory of 1628	2604	a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe	40
PID 2604 wrote to memory of 1628	2604	a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5f911ee8464cb4801bfbc43ba6d9e55_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
100B

MD5
06629bf4a9ef1a10de49bb586cf39417

SHA1
806d911ef635dac8af51c8c890030fd64c231273

SHA256
594749dc087344d74b5f5c353cc0ad82e133ea05d67ec6bd91264059c6bc7fd4

SHA512
058765cfd0818d56908391581203a2d6c919d535f9b2fbf7070cfdc122e2013f7fc7c83f5adc0eabe05a4e351b1381b6933ee8412960314e6cc40f0ce293f266

Download Submit