55dd63075d08d76bca64e4ced507c9960e80a57d483e5125bb2c337312ddaf08

Analysis

max time kernel
140s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae327d827dda084c195d240707471c56_JaffaCakes118.exe
Size

2.0MB
MD5

ae327d827dda084c195d240707471c56
SHA1

5f6f2b2fd6621be8b381a0992f438f072c17f8dc
SHA256

55dd63075d08d76bca64e4ced507c9960e80a57d483e5125bb2c337312ddaf08
SHA512

eb9f1d8be52215b788fb8613ffaea4bd8732d2bc0ac293d33d15c4e0f3f7ccfd3c6a4f31d122f743117d71572a8c6ad11f5b79d7ffef958bb5fbb7514fe86914
SSDEEP

49152:gUvw8N+jl4YoguvxUgkhHngSr90splelw2746A3FXI35x7X/i:Dwr4Yoh+HgSiL3EO35Zi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3232	is-Q7ET0.tmp

Loads dropped DLL 1 IoCs

pid	Process
3232	is-Q7ET0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae327d827dda084c195d240707471c56_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-Q7ET0.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 3232	4336	ae327d827dda084c195d240707471c56_JaffaCakes118.exe	84
PID 4336 wrote to memory of 3232	4336	ae327d827dda084c195d240707471c56_JaffaCakes118.exe	84
PID 4336 wrote to memory of 3232	4336	ae327d827dda084c195d240707471c56_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\ae327d827dda084c195d240707471c56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae327d827dda084c195d240707471c56_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\is-OB7JN.tmp\is-Q7ET0.tmp
  C:\Users\Admin\AppData\Local\Temp\is-OB7JN.tmp\is-Q7ET0.tmp /SL4 $B0062 C:\Users\Admin\AppData\Local\Temp\ae327d827dda084c195d240707471c56_JaffaCakes118.exe 1996029 68096
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-L482U.tmp\InnoExt.dll

Filesize
30KB

MD5
5a5a9afc264dfe7f9bdbbc047a434226

SHA1
8294a63320be6943c55f0298cf6a890a0eb8b0a4

SHA256
856993e75ff3035107b4ab94ad8cb53b3336c58d5ec581b1ac3d521f88d5975d

SHA512
41c52600ee161d74399eb20a81f2743b437310667ad6374a5288a9105391ccf2ab333ada116d01a26a0f9b11f0c82adcc66280a8d8ebdca166c96c701ef5a498

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OB7JN.tmp\is-Q7ET0.tmp

Filesize
550KB

MD5
f8af304447fc04618285f448d0651220

SHA1
ec2dd2c8b931501f977eefef5449b37373734415

SHA256
f0678194ef4b80ed8ec73ef78e5dff621c2602df47fb90e43800b6ab30c33d59

SHA512
c2e4cca9a38c8a5616936b2c643596c6125782bf32619eb9e890f9a7b4a293504151b22478e308656f43fc30e7ba4d9859e1a8ac1aba5e72169b8ded7cf39289

Download Submit
memory/3232-10-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3232-16-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4336-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4336-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/4336-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download