1692d354339d2fd8ac74418a650130ccf2a4be612d4a0568ada8c9f95b65861b

Analysis

max time kernel
133s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe
Size

320KB
MD5

a639768675cc6545bafe4f55dbb1b576
SHA1

27079abd0e237d61e8e6753afa1a91da18bf62f1
SHA256

1692d354339d2fd8ac74418a650130ccf2a4be612d4a0568ada8c9f95b65861b
SHA512

c0fdb66ba5eee04e69fc75eb556d397319a04906f60666b3dd2b5b9da57770829a0be4e99da35ef1a9f9495ec53bc20923a0c3ac656259e2b13a60466234724e
SSDEEP

3072:c+SOncDw+AoUBPNBPt4CvLXukOFfrsrRMeTsuZfb:HSOnswPPXPHvLXCTslMewuZz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
892	arqqbn.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arqqbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
964	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
964	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 4592	1616	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe	84
PID 1616 wrote to memory of 4592	1616	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe	84
PID 1616 wrote to memory of 4592	1616	a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe	84
PID 4592 wrote to memory of 892	4592	cmd.exe	86
PID 4592 wrote to memory of 892	4592	cmd.exe	86
PID 4592 wrote to memory of 892	4592	cmd.exe	86
PID 4592 wrote to memory of 964	4592	cmd.exe	87
PID 4592 wrote to memory of 964	4592	cmd.exe	87
PID 4592 wrote to memory of 964	4592	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a639768675cc6545bafe4f55dbb1b576_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbncdcr.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\arqqbn.exe
    "C:\Users\Admin\AppData\Local\Temp\arqqbn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:892
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arqqbn.exe

Filesize
184KB

MD5
7e89d5dfd5cb4431439d5c6ccbc5c085

SHA1
11e8122b431bb8a067e071b38b194f57f860b60e

SHA256
06b5ff3f28573e837cd6b93e37f6bd805e1a49553084e7751745d2d1377a67cb

SHA512
5af6003fa23c15c63fd192fd0ba972ac04d31e404b64b69a72690b4a47818407cd6726579bdf53a1788259adc2ddb388d98a4fd82458f008267bf313a389adf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbncdcr.bat

Filesize
124B

MD5
abdda0290165cf8e7065e9c343ffaa66

SHA1
21c88a393cfd6ea40952bdf6ab042dfeb63b52e1

SHA256
d787c179680a5e4c91e01b08665e07a1c61c175ae8a8a6021a338638a7bcb942

SHA512
2a2fa425679740b4f17fa9dbd907aed328427a41dd9e2bf92f58f20cc6b7b4518d97ddc7927cf0ce3b84fcd9c343ac72f6861c2b3240f80fdcbb1255745515dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeutgo.bat

Filesize
170B

MD5
feccf3ebb7111984828300df4a426074

SHA1
c6646147b40feafb9448d71571c645a9bc48bf30

SHA256
a7285893d9e50511acc026f08b82e13e84a5cc8424a11a97c8c3b6ebab0a355f

SHA512
b1bb32a7ccea135ba127f591e6b0d1cc6ac1f05a5e8f58ba98b857e3c5def162828c22e4c5791d5240f49a016f30f48b5a9b41660c3403bb5c3613785bce91b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads