51d3bfccf4ab15b72945e9755e00ef544cf224df9db7bf30efa0df95a228113d

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
Size

1.3MB
MD5

b12db271687e3db3f8c40f46d65a7c8d
SHA1

fbae6dc3e322b0cc0d82d08362f3c9098102f427
SHA256

51d3bfccf4ab15b72945e9755e00ef544cf224df9db7bf30efa0df95a228113d
SHA512

f4c7c1649a3b5d16751ce9f81f407364cdd7567043c0b6e8503ccac39118270a89c78406ecac9a4e09b9a82023aa91ecbe6d4f01f6ca583fdc6399d0f394953c
SSDEEP

12288:BrA/Zi0eQFflR9KhxiaGIIsLl91RAsgh1GMhBiF3vcq5VX:pGa879UyI9TRMM/Ffcqb

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2596	b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b12db271687e3db3f8c40f46d65a7c8d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fireflexx2.ini

Filesize
16KB

MD5
1ea783a4924f9245f608668a7dc4fa89

SHA1
5ddf4dc72544342c3e72024b9758e745f447ac46

SHA256
cace04b800e0e24f5fb2738ba931826b3143f3c0ae77c5b5aeb9e6ea862ec293

SHA512
74016062ee3ca7d68468c448156778777a7d980d516b41f102be23ff22a9eeb04076d581e0cf177f243d061b1179014096ae921272f0304d83c468075d5cbe1e

Download Submit
memory/2596-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2596-391-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2596-390-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download