b5c26b4b8f383dd78a866db5b8e399d654944903931897a7507754712888e8fb

Analysis

max time kernel
134s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 00:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe
Size

24KB
MD5

a8e7ca58eb3a05f7d8371fe3e8c19ad6
SHA1

6de7140a49570755fea2c778737581c97a05b019
SHA256

b5c26b4b8f383dd78a866db5b8e399d654944903931897a7507754712888e8fb
SHA512

7f694152880f39c4c2ade512eec95fa427b08da924082193bb3bf1eaa8032ee542e857c74a2b92b2834c69c36578f4602b819e49270b5b5a94c802d42dc8a142
SSDEEP

768:8rzarzskcfHj6UHuSvxzgkSzQdpDRBxBL:8/a/stQrzEpjx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MapleStoryUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	MapleStoryUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MapleStoryUpdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4756	3928	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe	84
PID 3928 wrote to memory of 4756	3928	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe	84
PID 3928 wrote to memory of 4756	3928	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe	84
PID 3928 wrote to memory of 3800	3928	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe	85
PID 3928 wrote to memory of 3800	3928	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe	85
PID 3928 wrote to memory of 3800	3928	a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe	85
PID 4756 wrote to memory of 3500	4756	MapleStoryUpdate.exe	97
PID 4756 wrote to memory of 3500	4756	MapleStoryUpdate.exe	97
PID 4756 wrote to memory of 3500	4756	MapleStoryUpdate.exe	97

C:\Users\Admin\AppData\Local\Temp\a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8e7ca58eb3a05f7d8371fe3e8c19ad6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\MapleStoryUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\MapleStoryUpdate.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
231B

MD5
624db4aaec979b24490ba18b5e6f942e

SHA1
c70d94502182b983b085342af6097f5af4680685

SHA256
c9a5c9591298abd0eccccaef9ab39323ef810f1cd7b715fccd953fd538ee3d7e

SHA512
2b8b5ea8c5aff0be9c7303d2aba1a21afea97134f89796f59de5a6d60d117034ea82bbf9194a3d29ab0429b39837efe53f30586365eaa4d4c673161cfc76704d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gameupdate.bat

Filesize
171B

MD5
a13a4431ebd705fd66424528b400dcae

SHA1
97a762da4dcaf89d6ddb12f365eb137f3d92d180

SHA256
2c6ebad5cf1db75b79e9a89f016f1b67c1050c347418e8992beaf354c937b53c

SHA512
18094805016d983d1c15d6840b1a7e686b53915160ee83639b806309b4c2e25f3252baf807e4caf2d9957091aa96b86d1a770667afbd950f96a2f7db3a2dad4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MapleStoryUpdate.exe

Filesize
24KB

MD5
a8e7ca58eb3a05f7d8371fe3e8c19ad6

SHA1
6de7140a49570755fea2c778737581c97a05b019

SHA256
b5c26b4b8f383dd78a866db5b8e399d654944903931897a7507754712888e8fb

SHA512
7f694152880f39c4c2ade512eec95fa427b08da924082193bb3bf1eaa8032ee542e857c74a2b92b2834c69c36578f4602b819e49270b5b5a94c802d42dc8a142

Download Submit