5a7b9c75926a4a0db35930c9cf9aea4ac8a806dcaf65b5b523ba369cfc2d7160

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe
Size

145KB
MD5

a771cbf981b4f3b5ebef253e382edacf
SHA1

50c2de45a4700d32c792fb3dc026374899cc81f8
SHA256

5a7b9c75926a4a0db35930c9cf9aea4ac8a806dcaf65b5b523ba369cfc2d7160
SHA512

6fbd6d2281dc6bc667d1e774e31b7e108af89ed2b2c2deb86ac361f994dd1b5173afc46d077c40b0e034a15b959dfe396c2bbb5a96096a98aa90bc86cdc6519b
SSDEEP

3072:g8I9agK8hhwecevdiKniUP9AL62FixGOMSUB8U3zL0330iGuPi:9gK8oevo2OL63Bkhua

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1300	sxeC12F.tmp

Loads dropped DLL 2 IoCs

pid	Process
2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe
2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sxeC12F.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1300	2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1300	2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1300	2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1300	2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1300	2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1300	2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe	30
PID 2568 wrote to memory of 1300	2568	a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a771cbf981b4f3b5ebef253e382edacf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\sxeC12F.tmp
  "C:\Users\Admin\AppData\Local\Temp\sxeC12F.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sxeC11D.tmp

Filesize
15KB

MD5
bd815b61f9948f93aface4033fbb4423

SHA1
b5391484009b39053fc8b1bba63d444969bafcfa

SHA256
b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

SHA512
a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

Download Submit
\Users\Admin\AppData\Local\Temp\sxeC12F.tmp

Filesize
604KB

MD5
9c5e35ca26bb166e68ed55641f2e8095

SHA1
cfce27c423bf813926a86aefc496ee071bf1ca91

SHA256
7777701b048ea85287ea4f07be7d2f598e82789b3966f934c7096cc803d577dc

SHA512
30874dbe6b56bbf9ff32cc2ae2a8b58ef65cb37a66f24b29f1abdd7fbce023b231ef3dd94412e37cbde277fcf624ed0c9a6cbfb3fe4e53ac431bec1aebf5ca00

Download Submit