e1fb12c9dfc1bcf77e833a439c5264a332161d9708db19137956ba5499073df0

Analysis

max time kernel
124s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
Size

89KB
MD5

af2de28a68236488c99605f2f56001b4
SHA1

557d203fc988106fb84d82ce9f0cad85285a8810
SHA256

e1fb12c9dfc1bcf77e833a439c5264a332161d9708db19137956ba5499073df0
SHA512

adc4c02e6886bb2caf06c8148316b90ff6ccac148661b516c1b6f81034b4bd37f1e0701f47b774cb720d5691cc6d0368da8685757afee5911bf4c931e17c078c
SSDEEP

1536:W3IWn6TcKebNXzTjI0GGFsNhSEO+k+bmNHEc6JgD7HjVeAR2vBC+oGUE:dWLNHfFsDSeKVEcsgnDXR25Ced

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\glok+7858-79d7.sys	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
File created	C:\Windows\glok+serv.config	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
File opened for modification	C:\Windows\glok+serv.config	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 4716	872	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	86
PID 872 wrote to memory of 4716	872	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	86
PID 872 wrote to memory of 4716	872	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	86
PID 872 wrote to memory of 1272	872	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	87
PID 872 wrote to memory of 1272	872	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	87
PID 872 wrote to memory of 1272	872	af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe	87
PID 1272 wrote to memory of 1152	1272	w32tm.exe	90
PID 1272 wrote to memory of 1152	1272	w32tm.exe	90
PID 4716 wrote to memory of 2524	4716	w32tm.exe	91
PID 4716 wrote to memory of 2524	4716	w32tm.exe	91

C:\Users\Admin\AppData\Local\Temp\af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af2de28a68236488c99605f2f56001b4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\system32\w32tm.exe
    w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
    3⤵
    PID:2524
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /config /update
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\w32tm.exe
    w32tm /config /update
    3⤵
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...