fdf56ed2a4c3cd26ceffe5bab766a72c1ea50db9a9c1d1c952b1e6453dafa357

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe
Size

4.0MB
MD5

ac513f77ce40cb061d206763692e7f62
SHA1

83bd56ccca0bd281e6d3d009abfffbc7bcca00cd
SHA256

fdf56ed2a4c3cd26ceffe5bab766a72c1ea50db9a9c1d1c952b1e6453dafa357
SHA512

4de6686cf7dfe429629acea45d7c2b5917fd318683644000478a7e7b44608521d2a4285686f16dbb675a9272e4319cb29e9a96b7564316a03d13a3b8b7e802c7
SSDEEP

98304:pP6SHEozb7dzJsenhbhahz4rTZU0ym1ix8fI6OLN/o8jEgt:pd7M2hahsrTHyAHfI6OBht

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4076	1464	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	92
PID 1464 wrote to memory of 4076	1464	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	92
PID 1464 wrote to memory of 4076	1464	ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /p "C:\Users\Admin\AppData\Local\Temp\{29893742-1980-4D30-ABDF-088DDDAFB6E0}\EventSentry v292a Update.msp" REINSTALLMODE=omus REINSTALL=ALL SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="ac513f77ce40cb061d206763692e7f62_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is8FC4.tmp

Filesize
1KB

MD5
2a0e0e4d677c3322ec601ec9b0a2456e

SHA1
2211e5676fe355d16eb490a0e226fd84c782664e

SHA256
69a42720a9dc165712bb760ea61b77e9e4bce634ff1aee536388e6905c007d13

SHA512
d6dadfa750b5183dcedd55f2e1990d30db10555d2ce7a3f24e4f4e4ab2d3735d6e1cdd9ae6a78bac694e55f939f901d56f6efd2fa1bfccff87e0c400ff952a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\{29893742-1980-4D30-ABDF-088DDDAFB6E0}\0x0409.ini

Filesize
13KB

MD5
758747727e96a23c7c5a5bbb011656e4

SHA1
51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9

SHA256
bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825

SHA512
21ff9d365beb1b7809b89d540f41bf330515f05f6211c8327be43baf1f050e46ecc1654b0696e7c82a2a803267e38d780ffd83dea7448861f6e3b84838685627

Download Submit
C:\Users\Admin\AppData\Local\Temp\{29893742-1980-4D30-ABDF-088DDDAFB6E0}\EventSentry v292a Update.msp

Filesize
3.9MB

MD5
d18be27adf07f290b4b7754aba547ff0

SHA1
9f4610a32f0e2a6ab3e0a2a707154a03885807fc

SHA256
46d119c8c448cf23a6df8be669b11fe600962175e3da397096051f2a10906168

SHA512
848f1cb496802a47d5164f9d56f4f7dd5c3def04e7a65ecc3a822c6fa6650096bbb06c20c252143c572c5d0a119c90e87780ea203db15f1420d7fa5b531fe8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{29893742-1980-4D30-ABDF-088DDDAFB6E0}\Setup.INI

Filesize
2KB

MD5
edf06212e4732019e14e60c578f16369

SHA1
7bce20de1dbb06eedf76925f285ee97aa58ccc30

SHA256
be4b7a26058f67253eef44704279beed86c04c0f3957e69190b337e15ceeb10a

SHA512
1e70173244fa2fd92e9ff0605296c29d19579ac90c7511df5bc530ab1645b411cda5bc5eec1f6667d811181fec7dcd907f69dc797fe8788bed099af2ac85906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{29893742-1980-4D30-ABDF-088DDDAFB6E0}\_ISMSIDEL.INI

Filesize
594B

MD5
db50a4810c93ddcce925c014b312236a

SHA1
0f939bde3f7620a58d1f257909e23df79689e5ea

SHA256
cba8fcfc85f2f1d660e7055568cbb44911ac0a5c6c1e94611ff38019ecfb4917

SHA512
f061cbdc647f3576d9ba899ccd9032eee33085ec3c0e7dbe70f5b26ee0aeb53831d542a45c7e4d90604e77f7cb20947662e32b0c5c515b78994aec2103131f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\{29893742-1980-4D30-ABDF-088DDDAFB6E0}\_ISMSIDEL.INI

Filesize
210B

MD5
7b2677a3f8e61172f0c3bb928ccdf499

SHA1
806b8bb0c84a6b15220b42af799ae43b2e12c674

SHA256
076b89033c6533d157e4f27a4c34bbd220cb7f669679bda7b03cb8d9f1ce69b0

SHA512
9ca9b579b8ef584156e857ce2cbb4721fe964b4e209aa2cfc7c000a8e8949d54b1489c6abe6a110f60933803d18fa572277f4ae3bd8c7582a51b188217cb544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{29893742-1980-4D30-ABDF-088DDDAFB6E0}\_ISMSIDEL.INI

Filesize
22B

MD5
8fef5f010ed3aaaf74d3214334be4088

SHA1
fa90e59e675de66d246d697a868edca1562f9d30

SHA256
55fa3d1388e8f2da8e7a35a2e809ca5924077a3c40eaee561c1e3686809f63c2

SHA512
c2a5ba5c311c016779a3024ae9600b29e718afe2b01103206bec72719b5e0e47bb1096cbd3b389b00a0705c565800a740a7003e4f8705e00fbfe0f2e2d3318d2

Download Submit