fdf56ed2a4c3cd26ceffe5bab766a72c1ea50db9a9c1d1c952b1e6453dafa357

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe
Size

4.0MB
MD5

ac513f77ce40cb061d206763692e7f62
SHA1

83bd56ccca0bd281e6d3d009abfffbc7bcca00cd
SHA256

fdf56ed2a4c3cd26ceffe5bab766a72c1ea50db9a9c1d1c952b1e6453dafa357
SHA512

4de6686cf7dfe429629acea45d7c2b5917fd318683644000478a7e7b44608521d2a4285686f16dbb675a9272e4319cb29e9a96b7564316a03d13a3b8b7e802c7
SSDEEP

98304:pP6SHEozb7dzJsenhbhahz4rTZU0ym1ix8fI6OLN/o8jEgt:pd7M2hahsrTHyAHfI6OBht

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2900	2232	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2900	2232	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2900	2232	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2900	2232	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2900	2232	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2900	2232	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2900	2232	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /p "C:\Users\Admin\AppData\Local\Temp\{93BF988C-9AE4-4BC8-95C1-C1F636F5C55A}\EventSentry v292a Update.msp" REINSTALLMODE=omus REINSTALL=ALL SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_isA5F7.tmp

Filesize
1KB

MD5
2a0e0e4d677c3322ec601ec9b0a2456e

SHA1
2211e5676fe355d16eb490a0e226fd84c782664e

SHA256
69a42720a9dc165712bb760ea61b77e9e4bce634ff1aee536388e6905c007d13

SHA512
d6dadfa750b5183dcedd55f2e1990d30db10555d2ce7a3f24e4f4e4ab2d3735d6e1cdd9ae6a78bac694e55f939f901d56f6efd2fa1bfccff87e0c400ff952a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\{93BF988C-9AE4-4BC8-95C1-C1F636F5C55A}\0x0409.ini

Filesize
13KB

MD5
758747727e96a23c7c5a5bbb011656e4

SHA1
51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9

SHA256
bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825

SHA512
21ff9d365beb1b7809b89d540f41bf330515f05f6211c8327be43baf1f050e46ecc1654b0696e7c82a2a803267e38d780ffd83dea7448861f6e3b84838685627

Download Submit
C:\Users\Admin\AppData\Local\Temp\{93BF988C-9AE4-4BC8-95C1-C1F636F5C55A}\EventSentry v292a Update.msp

Filesize
3.9MB

MD5
d18be27adf07f290b4b7754aba547ff0

SHA1
9f4610a32f0e2a6ab3e0a2a707154a03885807fc

SHA256
46d119c8c448cf23a6df8be669b11fe600962175e3da397096051f2a10906168

SHA512
848f1cb496802a47d5164f9d56f4f7dd5c3def04e7a65ecc3a822c6fa6650096bbb06c20c252143c572c5d0a119c90e87780ea203db15f1420d7fa5b531fe8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{93BF988C-9AE4-4BC8-95C1-C1F636F5C55A}\Setup.INI

Filesize
2KB

MD5
edf06212e4732019e14e60c578f16369

SHA1
7bce20de1dbb06eedf76925f285ee97aa58ccc30

SHA256
be4b7a26058f67253eef44704279beed86c04c0f3957e69190b337e15ceeb10a

SHA512
1e70173244fa2fd92e9ff0605296c29d19579ac90c7511df5bc530ab1645b411cda5bc5eec1f6667d811181fec7dcd907f69dc797fe8788bed099af2ac85906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{93BF988C-9AE4-4BC8-95C1-C1F636F5C55A}\_ISMSIDEL.INI

Filesize
594B

MD5
17495964012608722e93bcacd72fa1a5

SHA1
e997641ee4bfccace69028335e4bc764591422d9

SHA256
eeb998b44c42872ebfd37b840d34d695364101195936919b5f685560dfba0851

SHA512
e96a20d18586b5bb98b6d196837785f49d8191d66b3e61c02bdd08cb7486b94b0c3a887dc994a36903fd39bfeb3c7c560f4735b9a5e8c7bc4a7a5bca97bc29c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{93BF988C-9AE4-4BC8-95C1-C1F636F5C55A}\_ISMSIDEL.INI

Filesize
22B

MD5
8fef5f010ed3aaaf74d3214334be4088

SHA1
fa90e59e675de66d246d697a868edca1562f9d30

SHA256
55fa3d1388e8f2da8e7a35a2e809ca5924077a3c40eaee561c1e3686809f63c2

SHA512
c2a5ba5c311c016779a3024ae9600b29e718afe2b01103206bec72719b5e0e47bb1096cbd3b389b00a0705c565800a740a7003e4f8705e00fbfe0f2e2d3318d2

Download Submit