4f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe

Analysis

max time kernel
136s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
Size

348KB
MD5

b06eed81f84cb14877870a084249dd7c
SHA1

c1899cd96b5cb62a3245ffd8f1a7e2583af044c7
SHA256

4f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe
SHA512

b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3
SSDEEP

6144:jlt0FBuElqMfzP+qVoEw8vApAWjg/qQYdpsh8I1lfJCpN53KhpKVH/5B2BLyOSMK:xKaExfr+qVrwYApTgXYw88fwupqfM+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4392	Svghost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_Svghost.exe	Svghost.exe
File created	C:\Windows\SysWOW64\_Svghost.exe	Svghost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 2052	4392	Svghost.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Svghost.exe	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
File opened for modification	C:\Windows\Svghost.exe	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
File created	C:\Windows\Delet.bat	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	2052	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svghost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4392	3028	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe	88
PID 3028 wrote to memory of 4392	3028	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe	88
PID 3028 wrote to memory of 4392	3028	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe	88
PID 4392 wrote to memory of 2052	4392	Svghost.exe	89
PID 4392 wrote to memory of 2052	4392	Svghost.exe	89
PID 4392 wrote to memory of 2052	4392	Svghost.exe	89
PID 4392 wrote to memory of 2052	4392	Svghost.exe	89
PID 4392 wrote to memory of 2052	4392	Svghost.exe	89
PID 4392 wrote to memory of 2540	4392	Svghost.exe	91
PID 4392 wrote to memory of 2540	4392	Svghost.exe	91
PID 3028 wrote to memory of 4732	3028	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe	92
PID 3028 wrote to memory of 4732	3028	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe	92
PID 3028 wrote to memory of 4732	3028	b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Svghost.exe
  C:\Windows\Svghost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 12
      4⤵
      Program crash
      PID:4908
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delet.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2052 -ip 2052
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Delet.bat

Filesize
212B

MD5
8c844080436bf4513b773e434d067278

SHA1
371fcefe7b168ae2666992276fa413b0d6068c0e

SHA256
ea4df1a75c60896077884a21389a6757af9bcf963cf0ccfee6f68f513d348a8c

SHA512
22eb8009dc761a94d64a79bc43d9f675ab0c4d864884823bc51fb913ec1e2e33f708d6864556e272fb227065ab355f1e8d230969b3cd1723254bdd5575c664db

Download Submit
C:\Windows\Svghost.exe

Filesize
348KB

MD5
b06eed81f84cb14877870a084249dd7c

SHA1
c1899cd96b5cb62a3245ffd8f1a7e2583af044c7

SHA256
4f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe

SHA512
b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3

Download Submit
memory/2052-9-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3028-0-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3028-14-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4392-6-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4392-13-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download