67fffd16ff4c444cfd1cf5df903834169fcfbd21c50c74f527b49ca3590e13bd

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe
Size

160KB
MD5

ac1515570f1ce8bf3d1655030128ec06
SHA1

e26aaf471df45ecf5231825aae9952eb6d6e7161
SHA256

67fffd16ff4c444cfd1cf5df903834169fcfbd21c50c74f527b49ca3590e13bd
SHA512

d4836e2caae4f05c41ce60b6a518534304b0a9f2065011763536f655c0b6db129af79622e2df1ece71763aabfd44bd995e7b353f16bd69a18abdf30f1b13a646
SSDEEP

3072:arGzHMAu2usKEP6oMjSv94FEp7SdiIscOG93lDAriU6:arwHMAuLmrL9F8DscOGV

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azvklz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chothcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nxmdwxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yeagqghkiumco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnpugclblu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ravowllmfvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftjnlxyxeffy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qksk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tztgwjdvaseho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtssmrwurb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbyzwlmzlxwvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lhtxndpnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivxrnfklazjpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymbvjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilzqgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzzw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yindcydngcz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewjkaqakzgwhv.exe

Suspicious behavior: RenamesItself 21 IoCs

pid	Process
3464	ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe
3912	ivxrnfklazjpv.exe
4200	azvklz.exe
3596	ymbvjm.exe
4868	tztgwjdvaseho.exe
452	tdda.exe
3076	ilzqgr.exe
4820	rtssmrwurb.exe
944	ndjq.exe
1744	chothcn.exe
2224	nxmdwxh.exe
1660	ftjnlxyxeffy.exe
4744	yeagqghkiumco.exe
2804	wnye.exe
4176	vzzw.exe
3832	yindcydngcz.exe
960	fbyzwlmzlxwvm.exe
2268	tnpugclblu.exe
404	qksk.exe
1676	ravowllmfvy.exe
780	ewjkaqakzgwhv.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 3912	3464	ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe	99
PID 3464 wrote to memory of 3912	3464	ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe	99
PID 3464 wrote to memory of 3912	3464	ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe	99
PID 3912 wrote to memory of 4200	3912	ivxrnfklazjpv.exe	103
PID 3912 wrote to memory of 4200	3912	ivxrnfklazjpv.exe	103
PID 3912 wrote to memory of 4200	3912	ivxrnfklazjpv.exe	103
PID 4200 wrote to memory of 3596	4200	azvklz.exe	104
PID 4200 wrote to memory of 3596	4200	azvklz.exe	104
PID 4200 wrote to memory of 3596	4200	azvklz.exe	104
PID 3596 wrote to memory of 4868	3596	ymbvjm.exe	105
PID 3596 wrote to memory of 4868	3596	ymbvjm.exe	105
PID 3596 wrote to memory of 4868	3596	ymbvjm.exe	105
PID 4868 wrote to memory of 452	4868	tztgwjdvaseho.exe	108
PID 4868 wrote to memory of 452	4868	tztgwjdvaseho.exe	108
PID 4868 wrote to memory of 452	4868	tztgwjdvaseho.exe	108
PID 452 wrote to memory of 3076	452	tdda.exe	110
PID 452 wrote to memory of 3076	452	tdda.exe	110
PID 452 wrote to memory of 3076	452	tdda.exe	110
PID 3076 wrote to memory of 4820	3076	ilzqgr.exe	111
PID 3076 wrote to memory of 4820	3076	ilzqgr.exe	111
PID 3076 wrote to memory of 4820	3076	ilzqgr.exe	111
PID 4820 wrote to memory of 944	4820	rtssmrwurb.exe	112
PID 4820 wrote to memory of 944	4820	rtssmrwurb.exe	112
PID 4820 wrote to memory of 944	4820	rtssmrwurb.exe	112
PID 944 wrote to memory of 1744	944	ndjq.exe	113
PID 944 wrote to memory of 1744	944	ndjq.exe	113
PID 944 wrote to memory of 1744	944	ndjq.exe	113
PID 1744 wrote to memory of 2224	1744	chothcn.exe	115
PID 1744 wrote to memory of 2224	1744	chothcn.exe	115
PID 1744 wrote to memory of 2224	1744	chothcn.exe	115
PID 2224 wrote to memory of 1660	2224	nxmdwxh.exe	116
PID 2224 wrote to memory of 1660	2224	nxmdwxh.exe	116
PID 2224 wrote to memory of 1660	2224	nxmdwxh.exe	116
PID 1660 wrote to memory of 4744	1660	ftjnlxyxeffy.exe	117
PID 1660 wrote to memory of 4744	1660	ftjnlxyxeffy.exe	117
PID 1660 wrote to memory of 4744	1660	ftjnlxyxeffy.exe	117
PID 4744 wrote to memory of 2804	4744	yeagqghkiumco.exe	118
PID 4744 wrote to memory of 2804	4744	yeagqghkiumco.exe	118
PID 4744 wrote to memory of 2804	4744	yeagqghkiumco.exe	118
PID 2804 wrote to memory of 4176	2804	wnye.exe	119
PID 2804 wrote to memory of 4176	2804	wnye.exe	119
PID 2804 wrote to memory of 4176	2804	wnye.exe	119
PID 4176 wrote to memory of 3832	4176	vzzw.exe	127
PID 4176 wrote to memory of 3832	4176	vzzw.exe	127
PID 4176 wrote to memory of 3832	4176	vzzw.exe	127
PID 3832 wrote to memory of 960	3832	yindcydngcz.exe	128
PID 3832 wrote to memory of 960	3832	yindcydngcz.exe	128
PID 3832 wrote to memory of 960	3832	yindcydngcz.exe	128
PID 960 wrote to memory of 2268	960	fbyzwlmzlxwvm.exe	129
PID 960 wrote to memory of 2268	960	fbyzwlmzlxwvm.exe	129
PID 960 wrote to memory of 2268	960	fbyzwlmzlxwvm.exe	129
PID 2268 wrote to memory of 404	2268	tnpugclblu.exe	130
PID 2268 wrote to memory of 404	2268	tnpugclblu.exe	130
PID 2268 wrote to memory of 404	2268	tnpugclblu.exe	130
PID 404 wrote to memory of 1676	404	qksk.exe	131
PID 404 wrote to memory of 1676	404	qksk.exe	131
PID 404 wrote to memory of 1676	404	qksk.exe	131
PID 1676 wrote to memory of 780	1676	ravowllmfvy.exe	135
PID 1676 wrote to memory of 780	1676	ravowllmfvy.exe	135
PID 1676 wrote to memory of 780	1676	ravowllmfvy.exe	135
PID 780 wrote to memory of 3028	780	ewjkaqakzgwhv.exe	136
PID 780 wrote to memory of 3028	780	ewjkaqakzgwhv.exe	136
PID 780 wrote to memory of 3028	780	ewjkaqakzgwhv.exe	136

C:\Users\Admin\AppData\Local\Temp\ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac1515570f1ce8bf3d1655030128ec06_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\ivxrnfklazjpv.exe
  C:\Windows\system32\ivxrnfklazjpv.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\azvklz.exe
    C:\Windows\system32\azvklz.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\SysWOW64\ymbvjm.exe
      C:\Windows\system32\ymbvjm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\SysWOW64\tztgwjdvaseho.exe
        
        C:\Windows\system32\tztgwjdvaseho.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\SysWOW64\tdda.exe
        
        C:\Windows\system32\tdda.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\ilzqgr.exe
        
        C:\Windows\system32\ilzqgr.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\rtssmrwurb.exe
        
        C:\Windows\system32\rtssmrwurb.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\ndjq.exe
        
        C:\Windows\system32\ndjq.exe
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\chothcn.exe
        
        C:\Windows\system32\chothcn.exe
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\nxmdwxh.exe
        
        C:\Windows\system32\nxmdwxh.exe
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\ftjnlxyxeffy.exe
        
        C:\Windows\system32\ftjnlxyxeffy.exe
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\yeagqghkiumco.exe
        
        C:\Windows\system32\yeagqghkiumco.exe
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\wnye.exe
        
        C:\Windows\system32\wnye.exe
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\vzzw.exe
        
        C:\Windows\system32\vzzw.exe
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\yindcydngcz.exe
        
        C:\Windows\system32\yindcydngcz.exe
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\fbyzwlmzlxwvm.exe
        
        C:\Windows\system32\fbyzwlmzlxwvm.exe
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\tnpugclblu.exe
        
        C:\Windows\system32\tnpugclblu.exe
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\qksk.exe
        
        C:\Windows\system32\qksk.exe
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\ravowllmfvy.exe
        
        C:\Windows\system32\ravowllmfvy.exe
        20⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\ewjkaqakzgwhv.exe
        
        C:\Windows\system32\ewjkaqakzgwhv.exe
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: RenamesItself
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\lhtxndpnp.exe
        
        C:\Windows\system32\lhtxndpnp.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/452-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/944-49-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/960-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1660-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1676-71-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1744-51-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2224-53-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2268-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2804-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3464-5-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/3464-7-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/3464-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3464-3-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/3464-1-0x00000000035E0000-0x00000000035FB000-memory.dmp

Filesize
108KB

Download
memory/3464-4-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/3464-8-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/3464-19-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/3464-6-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/3464-21-0x00000000035E0000-0x00000000035FB000-memory.dmp

Filesize
108KB

Download
memory/3464-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3464-2-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/3596-34-0x0000000003600000-0x000000000361B000-memory.dmp

Filesize
108KB

Download
memory/3596-40-0x0000000003600000-0x000000000361B000-memory.dmp

Filesize
108KB

Download
memory/3596-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3832-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3912-14-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3912-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3912-17-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/3912-33-0x00000000004C0000-0x00000000004DB000-memory.dmp

Filesize
108KB

Download
memory/3912-31-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/3912-16-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/3912-15-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/3912-13-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3912-12-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3912-11-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3912-10-0x00000000004C0000-0x00000000004DB000-memory.dmp

Filesize
108KB

Download
memory/4176-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4200-36-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4200-22-0x0000000000690000-0x00000000006AB000-memory.dmp

Filesize
108KB

Download
memory/4200-28-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4200-29-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4200-27-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/4200-26-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4200-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4200-23-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4200-25-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/4200-24-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4200-38-0x0000000000690000-0x00000000006AB000-memory.dmp

Filesize
108KB

Download
memory/4744-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4820-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4868-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download