c37d0be2e9b7c6bc950ff1355ce93d4d55c818de3ef7ab46c198f42d36079120

Analysis

max time kernel
140s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe
Size

807KB
MD5

a6be6c8a4fe32dac7c47cc8f5f344103
SHA1

f85c5d3164b260ca270d991539a71d4fe5b1fc1e
SHA256

c37d0be2e9b7c6bc950ff1355ce93d4d55c818de3ef7ab46c198f42d36079120
SHA512

9a670454d0f02c75882cdec406afbaa8bbfd17575157ec6b2b2d31a07d9e21c532b86b3feea7dd30aa86ffaafb76d3661d2ebd5ebd9df54fe60e9ab28ef14374
SSDEEP

12288:uXGhhMpVcBd8VZI7WZnG59nMP1LZBuO9RxyHXNwQct0Kj3TmKt58zhIYYt6sRr:kqeqBiVZIMq9nMP3BuciHXCGKjkOZNR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4172	is-282V4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-282V4.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4172	5044	a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe	84
PID 5044 wrote to memory of 4172	5044	a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe	84
PID 5044 wrote to memory of 4172	5044	a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\is-B4U5C.tmp\is-282V4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B4U5C.tmp\is-282V4.tmp" /SL4 $502E4 C:\Users\Admin\AppData\Local\Temp\a6be6c8a4fe32dac7c47cc8f5f344103_JaffaCakes118.exe 607540 50688
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-B4U5C.tmp\is-282V4.tmp

Filesize
588KB

MD5
ada0596f481e037ab4eb86fcb10e827e

SHA1
ef03245a6479799c3946b5cee16ef1dd72c46a8d

SHA256
cf66bee55697b7bab60bdf17898af35528887ebc916a12c3510189629bf17967

SHA512
1fe891effa732e37ec997894fddb847553e83a64dccf650fa00ab95027f52b2845b318dc836e5487835c4da18559c1de6731af592f81a39f80dd23ef2111ac88

Download Submit
memory/4172-8-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4172-12-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5044-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5044-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/5044-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download