7abbbfad0fbe5c73e52444c9694920f7f437dbdffc706e4413b962544541b2bd

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
Size

4.7MB
MD5

a732e9478d0c895237e357acfe99bd0b
SHA1

7805d9eb5dfab9b9d173b46d0c7b840a2d6520e2
SHA256

7abbbfad0fbe5c73e52444c9694920f7f437dbdffc706e4413b962544541b2bd
SHA512

aa123e69b701503c0aefe86ab94cdfc31fa37fab441d8aa665d16434ae612a52bcf914750bb0906706454ea515ffeeb71813c40283bd46aae1dbb4ae7c66a948
SSDEEP

98304:x3LkzwMNCx1q3UkL3MN+S9DDpOtyu2It/800gBr/KKNkNWiqG4a+rGVF4D29:18z2+UkL3gNs2It/X1Xiqba2a

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1132	1028	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe	85
PID 1028 wrote to memory of 1132	1028	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe	85
PID 1028 wrote to memory of 1132	1028	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe	85
PID 1132 wrote to memory of 4240	1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe	86
PID 1132 wrote to memory of 4240	1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe	86
PID 1132 wrote to memory of 4240	1132	a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a732e9478d0c895237e357acfe99bd0b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c color f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10282\VCRUNTIME140.dll

Filesize
81KB

MD5
a2523ea6950e248cbdf18c9ea1a844f6

SHA1
549c8c2a96605f90d79a872be73efb5d40965444

SHA256
6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

SHA512
2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\_socket.pyd

Filesize
60KB

MD5
fb4db1e9eb7c4e3d7f74f1e31d7f2f02

SHA1
63c855aa583d2e484b42cfbfe78f6202601b782b

SHA256
62ea60c77915fb24bdde4afa3b4639ccf4898929a79bec2d1d1b3f7f42e8e095

SHA512
801c9a3d1858738f736759b37c14dbbf22672a2cd652f14afa1399f209d70a416935460319c0f08a1d9ebb0fd0d5236c377298cc0d0a2c3de0c40fe0503bd0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\base_library.zip

Filesize
757KB

MD5
dba37dbc6c275b3fe012296a3756a63c

SHA1
356462cd4bd8af5540f96c13381f6d0dfaf5d8fa

SHA256
bff418729811c9e347da089583cfeace823c832c80f28d3f8b2ddb681b2a0707

SHA512
077ae4ab9704f8c53b7ca118ebc3985e23c862f921b50177cdd1d831beced9cf3051dc974c80316b251a6a181319912164fd212e558bc7f3174362c85d962c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\main.exe.manifest

Filesize
1KB

MD5
8908dc00f6cdab92c0d4109de8c16b05

SHA1
e2ce2df7349c55ed73d96ade18bd9da1a4e49f23

SHA256
b9e3ea77500cddab23d83f9fbd24f6955b495ce73f54fcadbbdd752253cce9bb

SHA512
10580566400386b360bc0835d7f5ee1bebc49d8eebd0aad6c364dec20e53a88b96e4f1e9468f39fcf859cd117fcfcdd809e4644cf81dd6d9ee6e1942b4fdeff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\python36.dll

Filesize
3.1MB

MD5
1ac97dbe4a81fc2beb509f8da5a3e8b6

SHA1
b9e7d3857a10072c8569b2d07e0208059cf9495c

SHA256
258dd151e3ec9632d0b49488cc689bcbab172648854e121dc6b5f2e43e58cb62

SHA512
c69a7619d3b75d7170e087be9f02afc6d6bd1706aefcb60e84507f33d393f7323b168436f77c540c9439e2045b7577a2fb77ad287e02ff1afac747017478fad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\select.pyd

Filesize
22KB

MD5
02aaefa1473499a116ed8ce166881637

SHA1
a373f1cb2655778e1f908541cc29d9ec46f308f3

SHA256
733808629fa4903b844ef854cbab30323442cc62d015858f72a2d28253d5a8ab

SHA512
48b211d0134eb4bd8cc236cb563a7bb5f7c0daa0d9aa2c79004c751856925c21e0297f380c7d14d568ce3d8663e2221f7d6a1d96607ec3b64f031bb53e2eace8

Download Submit